Key Findings A sophisticated phishing-as-a-service kit called EvilTokens exploits Microsoft's legitimate OAuth 2.0 device authorization flow to hijack Microsoft 365 accounts without stealing passwords Attackers trick victims into entering a device code on a real Microsoft login page, which grants the attacker valid access tokens to the compromised account The attack bypasses traditional phishing detection methods by using genuine Microsoft authentication pages, eliminating fa