A phishing package with post-compromise focus: Beyond the initial access vector, EvilTokens is structured as a full-service phishing platform. The kit provides affiliates with ready-to-use lures, infrastructure, and automation tools designed to carry out both the phishing phase and post-compromise activity.The lures used in the campaign include fake SharePoint document notifications, DocuSign requests, and account alerts, all meant to urge users toward entering device codes. Once access is obtained, the platform enables inbox analysis, allowing attackers to identify high-value targets such as financial conversations or invoice threads.”By leveraging the short-lived access token, the attacker can exfiltrate targeted user data for up to 60 minutes following the device code phishing attack,” they said. “Depending on the targeted service, the attacker can access emails via Exchange Online, documents from Microsoft SharePoint Online and OneDrive, or conversation history in Microsoft Teams.” The received tokens with 60 minutes expiry can also be redeemed for generating new access tokens, with a rolling 90-day validity, allowing attackers to maintain persistence on the compromised account.Distributed through Telegram channels, the PhaaS service includes bot-driven workflows to manage campaigns and token collection. Researchers also observed ongoing development efforts, with indications that support for additional platforms beyond Microsoft may be introduced.Sekoia shared a set of attack infrastructure details to support tracking. These include phishing domain and URL patterns, self-hosted affiliate domains, EvilTokens admin domains, and the YARA rule for detecting the phishing page.
First seen on csoonline.com
Jump to article: www.csoonline.com/article/4153742/eviltokens-abuses-microsoft-device-code-flow-for-account-takeovers.html
