The Evolution of EvilTokens: Analyzing AI-Enabled Device Code Phishing Campaigns
Executive Summary
The threat landscape for credential theft is shifting from static, proxy-based phishing toward sophisticated, automated abuse of OAuth 2.0 authentication flows. Recent intelligence from Microsoft Defender Security Research, supported by SecLookup’s active telemetry, has identified a widespread phishing campaign leveraging the EvilTokens Phishing-as-a-Service (PhaaS) toolkit. This campaign is a significant escalation from previous activity observed under the Storm-2372 umbrella. By integrating Generative AI for hyper-personalized lures and dynamic backend automation via platforms like Railway.com, threat actors have effectively circumvented traditional security controls—specifically the 15-minute expiration window of device codes. SecLookup has been actively tracking and blocking the infrastructure associated with this campaign, including key domains and ephemeral IP ranges used for polling and token exfiltration.
Threat Analysis: The Move to AI-Enabled Automation
The core of this campaign lies in the abuse of the Device Code Flow (RFC 8628), an authentication method originally designed for devices with limited input capabilities, such as smart TVs or IoT devices. While device code phishing is not a new technique, the current campaign introduces three critical innovations that increase its success rate and scale.
1. Dynamic Code Generation
In traditional device code attacks, threat actors generated a code and sent it to a victim. However, these codes typically expire within 15 minutes. If a victim did not click the link and enter the code immediately, the attack would fail.
The EvilTokens toolkit solves this by using "just-in-time" generation. The phishing link does not contain a pre-generated code; instead, when a victim interacts with the malicious landing page, a backend Node.js script triggers a request to the identity provider (e.g., Microsoft Entra ID) to generate a fresh device code in real-time. This ensures that the 15-minute window only begins at the moment of human interaction, drastically increasing the window of opportunity for the attacker.
2. AI-Driven Personalization
The campaign utilizes Generative AI to move beyond generic "Urgent Action Required" templates. Threat actors are generating hyper-personalized lures tailored to the victim’s specific job role and organizational context. SecLookup has identified themes revolving around:
Request for Proposals (RFPs): Targeted at sales and business development teams.
Manufacturing Workflows: Targeted at operations and supply chain personnel.
Unpaid Invoices: Targeted at finance and accounts payable departments.
By using LLMs to craft these emails, the attackers eliminate common indicators of phishing, such as poor grammar or awkward phrasing, making the lure highly convincing.
3. Ephemeral Infrastructure via Railway.com
To manage thousands of concurrent authentication flows, the threat actors utilized Railway.com, a cloud platform for deploying applications. This allowed them to spin up thousands of unique, short-lived polling nodes. These nodes run Node.js logic that constantly "polls" the identity provider to check if the victim has completed the device code entry.
Using legitimate cloud infrastructure helps the attackers bypass signature-based detections and domain reputation filters, as the traffic often originates from reputable IP ranges. SecLookup's engine, however, focuses on behavioral heuristics and has successfully flagged these nodes by identifying the specific polling patterns associated with EvilTokens.
MITRE ATT&CK Mapping
The TTPs observed in this campaign map to the following MITRE ATT&CK techniques:
| Technique ID | Technique Name | Description |
|---|---|---|
| T1566.002 | Spearphishing Link | Use of AI-generated, personalized lures to deliver malicious URLs. |
| T1528 | Steal Application Access Token | Abuse of the Device Code Flow to obtain OAuth access and refresh tokens. |
| T1583.001 | Acquire Infrastructure: Domains | Registration of deceptive domains like office-verify.net. |
| T1071.001 | Application Layer Protocol: Web Protocols | C2 traffic and polling logic conducted over HTTPS. |
| T1584 | Compromise Infrastructure | Use of automation platforms (Railway.com) to host polling logic. |
SecLookup Detection and Prevention
SecLookup’s threat intelligence platform was actively detecting and blocking the primary infrastructure used in this campaign before the public disclosure of the Microsoft report. Our automated scanners identified the domain a7b2-c9d4.office-verify.net as a high-risk entity due to its registration patterns and its association with the EvilTokens toolkit.
By monitoring for specific Node.js polling behaviors and identifying the unique entropy in the subdomains generated for this campaign, SecLookup provides real-time protection. Customers using our API or integrated SOC tools were protected from the moment these domains were activated.
Indicators of Compromise (IOCs)
Confirmed Malicious Domains
The following domain was used as a primary landing page for the device code phishing attempts:
a7b2-c9d4.office-verify.net
IP Addresses
These IP addresses have been identified as part of the polling and exfiltration infrastructure:
89.150.45.0
160.220.232.0
160.220.234.0
185.81.113.0
Detection Rules
Phish_DeviceCode_Campaign_IOCs This rule targets the specific domain patterns and string identifiers found in the landing pages of this campaign.
rule Phish_DeviceCode_Campaign_IOCs {
meta:
description = "Detects infrastructure and identifiers associated with AI-enabled device code phishing campaigns"
threat_name = "Inside an AI‑enabled device code phishing campaign"
reference = "Microsoft Defender Security Research"
strings:
$domain1 = "a7b2-c9d4.office-verify.net" ascii wide nocase
$domain2 = "office-verify.net" ascii wide nocase
$s1 = "device code" ascii wide nocase
$s2 = "verification_uri" ascii wide nocase
$s3 = "user_code" ascii wide nocase
condition:
any of (\(domain*) or (2 of (\)s*))
}
PhaaS_EvilTokens_Toolkit_Indicators This rule identifies the core toolkit logic and actor-specific markers observed in the backend automation.
rule PhaaS_EvilTokens_Toolkit_Indicators {
meta:
description = "Detects references to the EvilTokens PhaaS toolkit and associated infrastructure patterns"
threat_actor = "Storm-2372"
strings:
$toolkit = "EvilTokens" ascii wide nocase
$actor = "Storm-2372" ascii wide nocase
$infra = "railway.com" ascii wide nocase
$logic = "Node.js" ascii wide nocase
$flow = "device code authentication flow" ascii wide nocase
condition:
\(toolkit or \)actor or (\(infra and \)flow and $logic)
}
Recommendations
To defend against AI-enabled device code phishing, SecLookup recommends the following defensive measures:
Restrict Device Code Flow: If your organization does not require device code authentication for IoT or legacy devices, disable it within your Identity Provider (IdP) settings (e.g., Microsoft Entra ID).
Implement Conditional Access: Use Conditional Access policies to restrict where device code flow can be initiated. For example, require the device to be on a trusted network or a compliant, managed device.
Enforce FIDO2 MFA: Move toward phishing-resistant multi-factor authentication (MFA) such as FIDO2 security keys. These methods are not susceptible to the token theft techniques used in device code phishing.
Monitor for Suspicious Polling: SOC analysts should hunt for high frequencies of sign-in attempts from ephemeral cloud hosting IP ranges (Railway, AWS, etc.) using the "Device Code" authentication method.
User Awareness Training: Update phishing simulations to include device code flow scenarios. Most users are trained to look for password fields; they may not realize that entering a code into a "Microsoft verification" page is equally dangerous.
References
- Inside an AI‑enabled device code phishing campaign by Microsoft Defender Security Research Team, Microsoft Security Blog
