CyberHappenings logo
Home Browse Watchlists Experimental About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

Widespread OAuth Device Code Phishing Campaign Targets Microsoft 365 via EvilTokens PhaaS

First reported
Last updated
2 unique sources, 3 articles

Summary

Hide ▲

A rapidly escalating device code phishing campaign continues to target Microsoft 365 accounts across at least 340 organizations in multiple countries since mid-February 2026, with attacks surging 37.5 times in early 2026 compared to baseline levels at the start of March. The campaign abuses legitimate OAuth device authorization flows to harvest credentials and establish persistent access tokens, primarily via the EvilTokens PhaaS platform and at least 10 other competing phishing kits (e.g., VENOM, DOCUPOLL, SHAREFILE). These attacks now incorporate advanced features such as anti-bot evasion techniques, multi-hop redirect chains leveraging legitimate vendor services, and SaaS-themed lures impersonating business content (e.g., DocuSign, SharePoint, Adobe Acrobat). The EvilTokens platform, sold over Telegram, has democratized device code phishing, enabling low-skilled cybercriminals to execute attacks that grant persistent access to victim accounts, including email, files, Teams data, and SSO impersonation capabilities. The campaign’s global reach extends to at least 10 countries, with sectors including construction, non-profits, real estate, manufacturing, financial services, healthcare, legal, and government being targeted. Mitigation efforts focus on disabling the device code flow via conditional access policies and monitoring for anomalous authentication events.

Timeline

  1. 25.03.2026 13:34 3 articles · 10d ago

    Device Code Phishing Campaign Leveraging EvilTokens PhaaS Hits 340+ Microsoft 365 Organizations

    The scope and scale of device code phishing attacks have surged dramatically in early 2026, with a 37.5x increase in attacks detected compared to baseline levels at the start of March 2026. EvilTokens is identified as the most prominent phishing kit driving the mainstream adoption of this technique, enabling low-skilled cybercriminals to execute attacks that abuse Microsoft’s OAuth device authorization flow. At least 10 additional phishing kits (e.g., VENOM, DOCUPOLL, SHAREFILE, CLURE, LINKID, AUTHOV, FLOW_TOKEN, PAPRIKA, DCSTATUS) now offer device code phishing capabilities, each incorporating realistic SaaS-themed lures, anti-bot protections, and cloud-hosted infrastructure to evade detection. Push Security reports that the EvilTokens platform, alongside these competing kits, has led to a rapid commoditization of device code phishing, with evidence of multi-vector campaigns using QR codes, hyperlinks, and embedded phishing templates. The article highlights the need for organizations to implement conditional access policies to disable the device code flow and monitor for anomalous authentication events, unusual IP addresses, and sessions to mitigate ongoing risks.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

Credential Theft and Account Compromise Surge in 2025

In 2025, cyber threat actors significantly increased their focus on credential theft, leading to a 389% rise in account compromise incidents, which constituted 55% of all attacks observed by eSentire. Credential access represented 75% of malicious activity, with two-thirds aimed at account takeovers and the remaining third used for phishing campaigns. Microsoft 365 accounts were primary targets. The use of phishing-as-a-service (PhaaS) kits, such as Tycoon2FA, FlowerStorm, and EvilProxy, fueled business email compromise (BEC) attacks. These kits are sophisticated, continuously updated, and designed to bypass modern security controls like multifactor authentication (MFA). While BEC attacks declined to less than 10% of malicious activity, they remained a top threat for companies, particularly in real estate, finance, retail, and construction. The report also highlighted a 14-fold increase in security incidents involving email bombing and IT Help Desk impersonation, a 300% spike in the ClickFix lure, and varying trends in cyber incidents across different industries.

Open in new tab

OAuth Device Code Phishing Campaigns Target Microsoft 365 Accounts

A surge in phishing campaigns exploiting Microsoft’s OAuth device code authorization flow has been observed, targeting Microsoft 365 accounts. Both state-aligned and financially motivated actors are using social engineering to trick users into approving malicious applications, leading to account takeover and data theft. The attacks leverage the OAuth 2.0 device authorization grant, a legitimate process designed for devices with limited input capabilities. Once victims enter a device code generated by an attacker-controlled application, the threat actor receives a valid access token, granting control over the compromised account. The campaigns use QR codes, embedded buttons, and hyperlinked text to initiate the attack chain, often claiming to involve document sharing, token reauthorization, or security verification. The growth of these campaigns is linked to readily available phishing tools like SquarePhish2 and Graphish, which simplify device code abuse and require limited technical skill. Proofpoint observed financially motivated actor TA2723 and Russia-linked group UNK_AcademicFlare adopting this technique, targeting various sectors in the US and Europe. Microsoft recently warned of phishing campaigns using OAuth URL redirection mechanisms to bypass conventional phishing defenses. These campaigns target government and public-sector organizations, redirecting victims to attacker-controlled infrastructure without stealing their tokens. Attackers abuse OAuth's standard behavior by crafting URLs with manipulated parameters or associated malicious applications to redirect users to malicious destinations. The attack starts with a malicious application created by the threat actor, configured with a redirect URL pointing to a rogue domain hosting malware. The malicious payloads are distributed as ZIP archives, leading to PowerShell execution, DLL side-loading, and pre-ransom or hands-on-keyboard activity. The activity, ongoing since September 2025, is being tracked by Proofpoint under the moniker UNK_AcademicFlare. The attacks involve using compromised email addresses belonging to government and military organizations to strike entities within government, think tanks, higher education, and transportation sectors in the U.S. and Europe. The adversary claims to share a link to a document that includes questions or topics for the email recipient to review before the meeting. The URL points to a Cloudflare Worker URL that mimics the compromised sender's Microsoft OneDrive account and instructs the victim to copy the provided code and click 'Next' to access the supposed document. Device code phishing was documented in detail by both Microsoft and Volexity in February 2025, attributing the use of the attack method to Russia-aligned clusters such as Storm-2372, APT29, UTA0304, and UTA0307. The October 2025 campaign is assessed to have been fueled by the ready availability of crimeware offerings like the Graphish phishing kit and red-team tools such as SquarePhish. To counter the risk posed by device code phishing, the best option is to create a Conditional Access policy using the Authentication Flows condition to block device code flow for all users. If that's not feasible, it's advised to use a policy that uses an allow-list approach to allow device code authentication for approved users, operating systems, or IP ranges. Threat actors are now targeting technology, manufacturing, and financial organizations in campaigns that combine device code phishing and voice phishing (vishing) to abuse the OAuth 2.0 Device Authorization flow and compromise Microsoft Entra accounts. Unlike previous attacks that utilized malicious OAuth applications to compromise accounts, these campaigns instead leverage legitimate Microsoft OAuth client IDs and the device authorization flow to trick victims into authenticating. This provides attackers with valid authentication tokens that can be used to access the victim's account without relying on regular phishing sites that steal passwords or intercept multi-factor authentication codes. Hackers are abusing the legitimate OAuth redirection mechanism to bypass phishing protections in email and browsers to take users to malicious pages. The attacks target government and public-sector organizations with phishing links that prompt users to authenticate to a malicious application. The malicious OAuth applications are registered with an identity provider, such as Microsoft Entra ID, and leverage the OAuth 2.0 protocol to obtain delegated or application-level access to user data and resources. The attackers create malicious OAuth applications in a tenant they control and configure them with a redirect URI pointing to their infrastructure. The researchers say that even if the URLs for Entra ID look like legitimate authorization requests, the endpoint is invoked with parameters for silent authentication without an interactive login and an invalid scope that triggers authentication errors. This forces the identity provider to redirect users to the redirect URI configured by the attacker. In some cases, the victims are redirected to phishing pages powered by attacker-in-the-middle frameworks such as EvilProxy, which can intercept valid session cookies to bypass multi-factor authentication (MFA) protections. Microsoft found that the 'state' parameter was misused to auto-fill the victim’s email address in the credentials box on the phishing page, increasing the perceived sense of legitimacy. In other instances, the victims are redirected to a 'download' path that automatically delivers a ZIP file with malicious shortcut (.LNK) files and HTML smuggling tools. Opening the .LNK launches PowerShell, which performs reconnaissance on the compromised host and extracts the components required for the next step, DLL side-loading. A malicious DLL (crashhandler.dll) decrypts and loads the final payload (crashlog.dat) into memory, while a legitimate executable (stream_monitor.exe) loads a decoy to distract the victim. Microsoft suggests that organizations should tighten permissions for OAuth applications, enforce strong identity protections and Conditional Access policies, and use cross-domain detection across email, identity, and endpoints.

Open in new tab

New CoPhish technique exploits Microsoft Copilot for OAuth phishing

A new phishing technique called 'CoPhish' leverages Microsoft Copilot Studio agents to deliver fraudulent OAuth consent requests. The technique exploits the legitimate and trusted Microsoft domains to trick users into granting permissions to malicious applications. The CoPhish technique was developed by researchers at Datadog Security Labs, who highlighted the risks associated with the flexibility of Copilot Studio. Microsoft has acknowledged the issue and plans to address it in a future update. The attack targets users, including administrators, by embedding malicious applications within Copilot Studio agents. Once activated, these agents can be distributed via email or messaging platforms, making it difficult for users to distinguish between legitimate and malicious requests. Users can protect against CoPhish attacks by limiting administrative privileges, reducing application permissions, enforcing governance policies, implementing a strong application consent policy, disabling user application creation defaults, and closely monitoring application consent via Entra ID and Copilot Studio agent creation events.

Open in new tab

OAuth and API Token Theft Driving SaaS Breaches

Token theft is a leading cause of software-as-a-service (SaaS) breaches. OAuth and API tokens are often overlooked, allowing attackers to bypass multi-factor authentication (MFA) and other security measures. SaaS sprawl and the difficulty of monitoring third-party integrations exacerbate the issue. Recent breaches at Slack, CircleCI, Cloudflare, and Salesloft/Drift highlight the risks associated with token theft. These incidents underscore the need for better token hygiene and visibility into SaaS integrations. Security teams must address the blind spots created by SaaS sprawl and hidden token trust relationships to prevent future attacks.

Open in new tab

Axios and Direct Send Abuse in Microsoft 365 Phishing Campaigns

Threat actors are exploiting HTTP client tools like Axios and Microsoft's Direct Send feature to create highly efficient phishing campaigns targeting Microsoft 365 environments. These attacks, which began in July 2025, initially targeted executives and managers in finance, healthcare, and manufacturing sectors, but have since expanded to all users. The campaigns use compensation-themed lures to trick recipients into revealing credentials and bypassing multi-factor authentication (MFA). The abuse of Axios has surged, accounting for 24.44% of all flagged user agent activity from June to August 2025. The attacks leverage Axios to intercept, modify, and replay HTTP requests, capturing session tokens or MFA codes in real-time. This method allows attackers to bypass traditional security defenses and conduct phishing operations at an unprecedented scale. Additionally, a phishing-as-a-service (PhaaS) offering called Salty 2FA has been discovered, which steals Microsoft login credentials and sidesteps MFA by simulating various authentication methods. Salty 2FA uses advanced features such as subdomain rotation, dynamic corporate branding, and sophisticated evasion tactics to enhance its phishing campaigns. It also abuses legitimate platforms to stage initial attacks and uses Cloudflare Turnstile for secure CAPTCHA replacement. Salty2FA campaigns have been active since late July 2025 and continue to this day, generating dozens of fresh analysis sessions daily. The campaigns target industries including finance, healthcare, government, logistics, energy, IT consulting, education, construction, telecom, chemicals, industrial manufacturing, real estate, and consulting. The Sneaky 2FA phishing kit has incorporated Browser-in-the-Browser (BitB) functionality to mimic browser address bars and pop-up login forms. This kit uses Cloudflare Turnstile checks to prevent security tools from accessing phishing pages and employs conditional loading techniques to ensure only intended targets can access them. The phishing domains are quickly rotated to minimize detection, and the kit uses obfuscation and disables browser developer tools to resist analysis. Sneaky2FA is a widely used PhaaS platform alongside Tycoon2FA and Mamba2FA, all targeting primarily Microsoft 365 accounts. The kit uses SVG-based attacks and attacker-in-the-middle (AitM) tactics, where the authentication process is proxied to the legitimate service through a phishing page that relays valid session tokens to the attackers. Sneaky2FA has added a BitB pop-up that mimics a legitimate Microsoft login window, adjusting dynamically to the victim’s OS and browser. An attacker stealing credentials and active session tokens can authenticate to the victim’s account, even when the two-factor authentication (2FA) protection is active.

Open in new tab