EvilTokens is a phishing kit that conceals its malicious payload through browser-side AES-GCM encryption, creating challenges for static detection methods. It exploits the OAuth device-code authentication flow used by Microsoft to perform account takeovers of Microsoft 365 without direct password theft. The attack chain includes multiple stages such as gate checks, user code requests, and session monitoring, culminating in a legitimate-looking redirect to OneDrive. This multi-stage approach and encryption require dynamic analysis to uncover the full attack sequence. The kit targets organizations mainly in the United States and Europe, focusing on several key industries. No CVE or known exploits in the wild are reported, and no patch or remediation is indicated as this is a phishing technique rather than a software vulnerability.

Successful exploitation results in Microsoft 365 account takeovers without the need to steal passwords directly, potentially leading to unauthorized access to sensitive organizational data and services. The attack's use of encrypted payloads and multi-stage processes complicates detection and analysis, increasing the risk of successful compromise. Targeted sectors include managed security services, technology, manufacturing, education, banking, and consulting in the United States and Europe.

No official patch or fix is available as this is a phishing kit exploiting legitimate OAuth device-code flows. Defenders should rely on dynamic analysis tools to detect such encrypted phishing payloads. Organizations should educate users about OAuth device-code phishing risks and monitor for suspicious OAuth device authorization requests. Employing multi-factor authentication and conditional access policies can help reduce the risk of account takeover. Since the attack mimics legitimate Microsoft redirects, enhanced user awareness and behavioral detection are critical.