CyberHappenings logo
Home Browse Watchlists Experimental About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

Widespread OAuth Device Code Phishing Campaign Targets Microsoft 365 via EvilTokens PhaaS

First reported
Last updated
2 unique sources, 4 articles

Summary

Hide ▲

Since mid-February 2026, a large-scale device code phishing campaign has targeted Microsoft 365 across at least 340 organizations in over 10 countries, escalating 37.5x in early April. The campaign abuses OAuth device authorization flows via the EvilTokens PhaaS platform and at least 10 additional phishing kits (VENOM, DOCUPOLL, SHAREFILE, etc.), granting persistent access tokens even after password resets. Attacks incorporate anti-bot evasion, multi-hop redirect chains via vendor services, and SaaS-themed lures, while mitigation focuses on disabling device code flows and monitoring anomalous authentications. Credential exposures like the Figure breach (967,200 email records) enable follow-on campaigns—credential stuffing, AI-generated phishing, and help desk social engineering—that bypass legacy MFA through real-time phishing relays and social engineering. Legacy MFA and even FIDO2 passkeys are structurally unable to prevent these attacks, which rely on human judgment at critical control points. Phishing-resistant authentication requires cryptographic origin binding, hardware-bound keys, and live biometric verification to close relay and delegation vectors.

Timeline

  1. 25.03.2026 13:34 4 articles · 16d ago

    Device Code Phishing Campaign Leveraging EvilTokens PhaaS Hits 340+ Microsoft 365 Organizations

    The scope and scale of device code phishing attacks have surged dramatically in early 2026, with a 37.5x increase in attacks detected compared to baseline levels at the start of March 2026. EvilTokens is identified as the most prominent phishing kit driving the mainstream adoption of this technique, enabling low-skilled cybercriminals to execute attacks that abuse Microsoft’s OAuth device authorization flow. At least 10 additional phishing kits (e.g., VENOM, DOCUPOLL, SHAREFILE, CLURE, LINKID, AUTHOV, FLOW_TOKEN, PAPRIKA, DCSTATUS) now offer device code phishing capabilities, each incorporating realistic SaaS-themed lures, anti-bot protections, and cloud-hosted infrastructure to evade detection. Push Security reports that the EvilTokens platform, alongside these competing kits, has led to a rapid commoditization of device code phishing, with evidence of multi-vector campaigns using QR codes, hyperlinks, and embedded phishing templates. The article highlights the need for organizations to implement conditional access policies to disable the device code flow and monitor for anomalous authentication events, unusual IP addresses, and sessions to mitigate ongoing risks. This article underscores how credential exposures (e.g., the Figure breach) enable downstream attacks—credential stuffing, AI-driven targeted phishing, and help desk social engineering—that bypass legacy MFA via real-time phishing relays and social engineering. It details why legacy MFA (push, SMS, TOTP) and even FIDO2 passkeys remain vulnerable to relay attacks and social engineering, and outlines the architectural requirements for phishing-resistant authentication (cryptographic origin binding, hardware-bound keys, live biometric verification).

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

APT28 DNS hijacking campaigns via compromised SOHO routers observed in 2025–2026 targeting credential theft

APT28 (GRU GTsSS Military Unit 26165) has conducted opportunistic DNS hijacking campaigns since at least August 2025 by compromising small office/home office (SOHO) routers—primarily TP-Link models such as WR841N—to redirect victim traffic through attacker-controlled DNS servers and steal credentials. The campaign peaked in December 2025, compromising over 18,000 networks, including 200 organizations and 5,000 consumer devices, and specifically targeted government agencies such as ministries of foreign affairs, law enforcement, and third-party email providers. TP-Link routers were likely exploited via CVE-2023-50224 to retrieve credentials, which were used in adversary-in-the-middle attacks against browser sessions and desktop applications to harvest credentials for web and email services. APT28 operates a persistent infrastructure of VPSs repurposed as malicious DNS servers, receiving DNS requests from exploited routers and enabling opportunistic triage to identify high-value targets. Microsoft reported this is the first time APT28 has used DNS hijacking at scale to support post-compromise adversary-in-the-middle (AiTM) attacks on TLS connections against Microsoft Outlook on the web domains, intercepting OAuth authentication tokens after successful MFA authentication without requiring additional malware on compromised routers. On April 7, 2026, US authorities dismantled APT28’s US-based DNS hijacking network as part of ‘Operation Masquerade,’ neutralizing compromised routers across 23 states. The operation, led by the FBI and authorized by a court, reset DNS settings on affected TP-Link routers to restore legitimate DNS resolvers from ISPs without impacting functionality or collecting user content. The FBI is working with ISPs to notify affected users and urges router owners to replace outdated devices, update firmware, and verify DNS settings to prevent further exploitation.

Open in new tab

Global C-Suite credential theft campaign leverages undocumented Venom PhaaS with AiTM bypass

A credential theft campaign from November 2025 to March 2026 targeted C-suite executives and senior personnel at major organizations worldwide using a previously undocumented phishing-as-a-service (PhaaS) platform named Venom. The campaign used SharePoint-themed lures with embedded QR codes to deliver a multi-stage phishing workflow designed to harvest credentials and bypass multifactor authentication (MFA). Email content included randomized HTML, fabricated email threads, and personalized sender impersonation to evade detection. Victims who passed automated checks were routed to credential harvesters that mimicked legitimate login portals via adversary-in-the-middle (AiTM) techniques, including pre-filled email fields, corporate branding, and identity provider integration. Compromised sessions maintained persistence even after password resets due to valid refresh tokens, unless administrators manually revoked active sessions.

Open in new tab

Increased exploitation of legitimate remote access pathways and trusted tools in 2025 intrusions according to Blackpoint Cyber threat analysis

A 2026 analysis of 2025 incident response cases by Blackpoint Cyber finds threat actors increasingly leveraging legitimate remote access pathways and trusted administrative tools to establish initial access and maintain persistence. Rather than relying on software vulnerabilities, attackers primarily abused valid credentials, SSL VPN sessions, and remote monitoring and management (RMM) tools such as ScreenConnect to blend into normal operations. In cloud environments, adversaries captured and reused authenticated session tokens following successful multi-factor authentication (MFA) via adversary-in-the-middle phishing, bypassing detection by appearing as legitimate sessions.

Open in new tab

Vishing Attacks Target Okta SSO Accounts for Data Theft

Threat actors are using vishing attacks to steal Okta SSO credentials, bypassing MFA and gaining access to enterprise cloud services. The attacks involve real-time manipulation of phishing pages and social engineering to trick employees into revealing their credentials and MFA codes. Once access is gained, attackers exfiltrate data from integrated platforms like Salesforce and demand extortion payments. The phishing kits used in these attacks are sold as a service and are actively employed by multiple hacking groups targeting identity providers and cryptocurrency platforms. Okta recommends using phishing-resistant MFA methods to mitigate these threats. Attackers use Telegram channels to receive stolen credentials and adapt their campaign based on the MFA or authentication solution the target is using. Phishing kits allow attackers to generate fake MFA notifications to bypass MFA protections.

Open in new tab

Credential Theft and Account Compromise Surge in 2025

In 2025, cyber threat actors significantly increased their focus on credential theft, leading to a 389% rise in account compromise incidents, which constituted 55% of all attacks observed by eSentire. Credential access represented 75% of malicious activity, with two-thirds aimed at account takeovers and the remaining third used for phishing campaigns. Microsoft 365 accounts were primary targets. The use of phishing-as-a-service (PhaaS) kits, such as Tycoon2FA, FlowerStorm, and EvilProxy, fueled business email compromise (BEC) attacks. These kits are sophisticated, continuously updated, and designed to bypass modern security controls like multifactor authentication (MFA). While BEC attacks declined to less than 10% of malicious activity, they remained a top threat for companies, particularly in real estate, finance, retail, and construction. The report also highlighted a 14-fold increase in security incidents involving email bombing and IT Help Desk impersonation, a 300% spike in the ClickFix lure, and varying trends in cyber incidents across different industries.

Open in new tab