Passwordless Phishing: How Attackers Hijack Microsoft 365 Through Device Code Authentication
- Jun 20
- 4 min read
Key Findings
A sophisticated phishing-as-a-service kit called EvilTokens exploits Microsoft's legitimate OAuth 2.0 device authorization flow to hijack Microsoft 365 accounts without stealing passwords
Attackers trick victims into entering a device code on a real Microsoft login page, which grants the attacker valid access tokens to the compromised account
The attack bypasses traditional phishing detection methods by using genuine Microsoft authentication pages, eliminating fake domains and suspicious certificates as warning signs
Device code phishing has been adopted by both criminal and state-aligned groups since at least February 2026, with documented campaigns targeting over 340 organizations
The kit includes obfuscation techniques like zero-width Unicode characters to evade string-matching security scanners and beacons every four seconds to maintain synchronization with the victim's authentication
Background
Device code phishing represents an evolution in account compromise techniques. The OAuth 2.0 device authorization grant flow was originally designed for devices that lack convenient input methods, such as smart TVs, printers, and command-line tools. These devices display a code that users enter on Microsoft's legitimate aka.ms/devicelogin page through another device. Once authenticated, Microsoft issues access tokens to the requesting device.
Attackers discovered they could repurpose this legitimate flow for account theft. Rather than building convincing replicas of login pages, they exploit the real Microsoft authentication infrastructure itself. Over the past year, both cybercriminal groups and state-sponsored actors have embraced device code phishing. The emergence of commercialized phishing-as-a-service kits has made these attacks accessible to a broader range of threat actors, significantly lowering the technical bar for account compromise.
How the Attack Unfolds
The attack typically begins with a deceptively simple business email. The message poses as a vendor estimate or document awaiting approval and includes a clickable HTML attachment containing a hidden image. When the victim clicks the attachment, they are directed to a polished landing page styled to resemble legitimate document review interfaces.
On this page, a "Review Document" button reveals a verification code. The victim is then instructed to copy this code and sign in with their Microsoft account. Importantly, the sign-in process that follows is entirely legitimate. The victim is directed to Microsoft's actual aka.ms/devicelogin entry point, where they enter the code they received from the attacker.
At this point, the victim unknowingly approves the attacker's device for access to their Microsoft 365 account. From that moment forward, the attacker holds valid OAuth tokens granting full account access. Microsoft does display a warning dialog mentioning "Microsoft Authentication Broker" and "another device," but these subtle cues often go unnoticed. The account takeover completes silently, with the victim having no indication their account has been compromised.
Why This Attack Succeeds
EvilTokens strips away most of the traditional red flags that security awareness training has emphasized for years. There is no fake domain to scrutinize, no suspicious SSL certificate to trigger warnings, and no misspelled URLs. The entire authentication process occurs on legitimate Microsoft infrastructure, making it appear completely normal to the victim.
The attack also circumvents two-factor authentication without any technical sophistication. Rather than breaking or bypassing 2FA mechanisms, attackers simply trick the victim into completing the second authentication factor themselves. Since the victim is authenticating on a real Microsoft page with legitimate authentication requests, 2FA provides no additional protection against social engineering.
Additionally, the kit employs obfuscation techniques designed to evade automated security scanning. Zero-width Unicode characters are inserted throughout the code to split potentially flagged terms like "Verify" and "Microsoft." This makes simple string-matching detection tools ineffective.
Detection and Defense
Detection of device code phishing is possible but requires looking beyond traditional indicators. Security researchers have identified that the kit's constant beaconing pattern is distinctive. The attacker's server receives the device code every four seconds to maintain synchronization with the victim's authentication process. Network defenders hunting for this telltale traffic pattern can identify active exploitation attempts.
Organizations should also monitor specific hostname-resolution sequences and watch for unusual Microsoft device code grants in Entra ID sign-in logs. Unexpected device code authorization events warrant immediate investigation.
For users, the defense is straightforward but requires a shift in thinking. Any unsolicited code that someone asks you to enter at a Microsoft authentication prompt should be treated with extreme suspicion. Microsoft's own dialog explicitly warns users not to enter codes from sources they do not trust. However, this warning alone is insufficient given the sophistication of modern social engineering.
Traditional phishing awareness training focused on identifying fake domains and typos provides limited protection against device code attacks. Security teams and individuals must recognize that legitimate-looking authentication flows can still be weaponized through social engineering. User training needs to evolve to address this modern threat vector.
The Broader Threat Landscape
EvilTokens demonstrates how phishing attacks have become more sophisticated and personalized. Some campaigns documented by Microsoft incorporated AI-enabled dynamic code generation and highly customized lures targeting specific organizations. These refinements significantly increase success rates compared to generic phishing campaigns.
The widespread adoption of the EvilTokens kit by criminal organizations and its use in both account takeover and business email compromise attacks indicates this technique will remain prevalent. As defenders develop countermeasures for device code phishing, attackers will likely continue refining their approaches and developing new variations that exploit legitimate authentication mechanisms.
Organizations should expect device code phishing campaigns to continue and potentially increase in sophistication. The combination of legitimate authentication flows, social engineering, and commercially available attack kits creates a powerful threat that transcends traditional security boundaries.
Sources
https://securityonline.info/device-code-phishing/
https://www.welivesecurity.com/en/cybercrime/eviltokens-phishing-doesnt-steal-password
https://cybersecuritynews.com/microsoft-365-device-code-phishing-campaign
https://deandorton.com/mfa-is-not-enough-how-attackers-are-hijacking-microsoft-365-without-your-password

Comments