A new EvilTokens Microsoft 365 phishing attack is actively targeting organizations using a method that sidesteps traditional awareness training and renders common defenses ineffective. This is not a variation of what you’ve seen before. It changes the entry point, the trust model, and the response required.

Attackers no longer need to trick users with fake login pages. Instead, they rely on legitimate Microsoft infrastructure and user behavior to gain access. As a result, even well-trained users are approving access without realizing what they’ve authorized.

What Is the EvilTokens Microsoft 365 Phishing Attack?

The EvilTokens attack uses Microsoft’s device code authentication flow—a legitimate process designed for logging into devices that lack full browsers, such as conference room systems, printers, and smart displays.

However, attackers now weaponize that same process.

Instead of stealing credentials, they convince users to authorize the attacker’s session directly. The login page is real. The domain is real. The MFA prompt is real. Nothing appears suspicious.

That is precisely why this works.

How Device Code Phishing Bypasses MFA

Traditional phishing depends on deception. This attack depends on trust.

Here’s the shift:

• The user receives a convincing email (invoice, DocuSign, voicemail, or file share)
• They are instructed to verify access using a provided code
• They land on the legitimate Microsoft device login page
• They enter the code and complete MFA
• Microsoft issues authentication tokens to the attacker’s session

At no point does the attacker intercept credentials. Instead, the user completes the authentication process on their behalf.

Consequently, MFA does not stop the attack. It enables it.

How Attackers Steal OAuth and Refresh Tokens

Once the user completes authentication, Microsoft issues:

• An OAuth access token
• A refresh token with up to a 90-day rolling lifetime

From there, the attacker gains immediate access to:

• Email (read, send, delete)
• OneDrive and SharePoint data
• Microsoft Teams conversations
• Full single sign-on across Microsoft 365 services

Moreover, the attacker can escalate further. They can register a new device in Entra ID, obtain a Primary Refresh Token (PRT), and maintain silent, persistent access without triggering additional login prompts.

At that point, visibility drops and containment becomes harder.

Why This Attack Is More Dangerous Than Traditional Phishing

This attack removes the signals users rely on.

There is no spoofed domain.
There is no broken certificate.
There is no visual deception.

Instead, the attack succeeds because it aligns perfectly with what users expect to see.

According to the EvilTokens briefing, even trained users fail to identify this scenario because the entire interaction occurs within legitimate Microsoft infrastructure .

Therefore, awareness alone no longer closes the gap.

What to Watch for Inside Your Organization

You need to shift from visual detection to behavioral detection.

Pay attention when users report:

• Being asked to “verify” a document, invoice, or voicemail
• Entering a code on a Microsoft login page
• Completing MFA for something they did not initiate

Additionally, review Entra ID for:

• Sign-ins using device code authentication
• Unexpected OAuth applications or refresh tokens
• New device registrations
• Suspicious activity across email, OneDrive, or Teams

If a user describes entering a code from an email and signing into Microsoft, treat it as a confirmed compromise immediately.

Immediate Response: What to Do Right Now

Speed determines outcome in this scenario.

Take these actions without delay:

1. Revoke all refresh tokens immediately
2. Force password reset and terminate active sessions
3. Review Entra sign-in logs for “deviceCode” authentication
4. Remove any unauthorized device registrations
5. Audit email activity, mailbox rules, and file access
6. Escalate if persistence indicators are present

Resetting the password alone will not remove attacker access. Tokens persist beyond credential changes.

How to Protect Against Microsoft 365 Token Phishing

Defense requires configuration, not just awareness.

From the administrative side:

• Block Device Code Flow using Conditional Access
• Monitor Entra sign-in logs for device code activity
• Require compliant or managed devices
• Establish rapid token revocation procedures

From the user side, simplify the rule:

If you did not initiate the login, do not enter the code.

Reinforce this consistently. The attack depends on urgency and compliance.

What This Means Moving Forward

The EvilTokens Microsoft 365 phishing attack represents a shift in how access is obtained. Attackers no longer break authentication—they redirect it.

As a result, organizations must adjust:

• Train users on behavior, not just visuals
• Monitor authentication flows, not just logins
• Respond to tokens, not just passwords

At systech, we are actively implementing protections, auditing environments, and updating training to address this threat.

If your organization has not reviewed device code authentication or token controls, now is the time. Delay increases exposure, and exposure compounds quickly under this model.