How the Attack Works
A sophisticated phishing kit known as EvilTokens is targeting organizations across the United States and Europe, using a technique that hides its malicious activity from traditional security tools. The attack exploits Microsoft’s legitimate device code authentication flow, tricking victims into granting access to their own Microsoft 365 accounts without the attackers ever capturing passwords directly.
The kit’s effectiveness stems from its use of encrypted landing page HTML. The page content is encrypted using AES GCM and only becomes readable within the victim’s browser after decryption occurs. This means static URL analysis and network level detection tools often miss the actual phishing content, recording only an encrypted response while never revealing what the victim sees on screen.
Impact and Scope
Security researchers have identified EvilTokens activity concentrated primarily across the United States and Europe, targeting sectors including managed security services, technology, manufacturing, education, banking, and consulting. The kit focuses on environments where a single compromised Microsoft 365 account provides access to sensitive data, internal communications, and linked business services.
The encrypted approach creates significant challenges for security operations teams. When analysts cannot observe what a suspicious page does after execution in the browser, the consequences include longer exposure to potential account compromise, delayed containment decisions, increased alert volumes for senior staff, higher investigation costs, and incomplete evidence for blocking related infrastructure. Security teams need browser level analysis capabilities to detect the decrypted phishing content and confirm threats rapidly.
Source: Cyber Security News
