GoKawiilA new malicious kit called EvilTokens integrates device code phishing capabilities, allowing attackers to hijack Microsoft accounts and provide advanced features for business email compromise attacks.
The kit is sold to cybercriminals over Telegram and is under continuous development, its author stating that they plan to extend support for Gmail and Okta phishing pages.
Device code phishing attacks abuse the OAuth 2.0 device authorization flow, in which attackers gain access to a victim account by tricking the owner into authorizing a malicious device.
The technique is well-documented and has been used by various threat actors, including Russian groups tracked as Storm-237, UTA032, UTA0355, UNK_AcademicFlare, and TA2723 [1, 2, 3], and the ShinyHunters data extortion group.
EvilTokens attacks
Researchers at threat detection and response company Sekoia observed EvilTokens attacks where the victims received emails with documents (PDF, HTML, DOCX, XLSX, or SVG) that contained either a QR code or a hyperlink to an EvilTokens phishing template.
These lures impersonate legitimate business content such as financial documents, meeting invitations, logistics or purchase orders, payroll notices, or shared documents via services like DocuSign or SharePoint, and are often tailored to employees in finance, HR, logistics, or sales roles.
Various phishing templates in EvilTokens
Source: Sekoia
When the victim opens the link, they are presented with a phishing page that impersonates a trusted service (e.g., Adobe Acrobat or DocuSign), which displays a verification code and instructions to complete identity verification.
... continue reading