{"id":370484,"date":"2026-04-09T02:29:12","date_gmt":"2026-04-09T02:29:12","guid":{"rendered":"https:\/\/www.newsbeep.com\/nz\/370484\/"},"modified":"2026-04-09T02:29:12","modified_gmt":"2026-04-09T02:29:12","slug":"microsoft-365-eviltoken-campaign-hits-hundreds-daily","status":"publish","type":"post","link":"https:\/\/www.newsbeep.com\/nz\/370484\/","title":{"rendered":"Microsoft 365 EvilToken campaign hits hundreds daily"},"content":{"rendered":"<p>AppOmni&#8217;s threat hunting team has identified both attempted and successful EvilToken device code phishing activity across Microsoft 365 environments. Microsoft has reported that hundreds of organisations are being compromised each day in campaigns linked to this attack method.<\/p>\n<p>The attack uses device code phishing and OAuth tokens rather than stolen passwords. Based on details published by Microsoft and cited by AppOmni, victims are persuaded to complete a legitimate Microsoft authentication flow, which then issues a valid token to the attacker&#8217;s session.<\/p>\n<p>As a result, attackers can access email and files in Microsoft 365 while avoiding many of the warning signs associated with conventional credential theft. Because the victim completes the login and multi-factor authentication process themselves, later activity can appear legitimate in logs.<\/p>\n<p>The campaigns have targeted high-value users, including people in finance, executive and administrative roles. Attackers have also used generative AI to create tailored phishing messages tied to invoices, requests for proposals and workflow tasks.<\/p>\n<p>Once access is granted, attackers can use the Microsoft Graph API to search for sensitive communications, create inbox rules to hide their activity and register new devices to extend access. AppOmni said dynamic code generation helps attackers exploit the limited validity window for device codes, turning what was once a manual process into a more automated one.<\/p>\n<p>Shift In Tactics<\/p>\n<p>Bill Legue, Lead Threat Hunter at AppOmni, said the campaign reflects a broader shift in how attackers operate in software-as-a-service environments.<\/p>\n<p>&#8220;The EvilToken campaign is not an isolated incident. It reflects a consistent and growing pattern in SaaS attacks. Attackers are no longer trying to break in. They are logging in with valid access, leveraging tokens and operating entirely within trusted SaaS environments.<\/p>\n<p>&#8220;This shift introduces several important realities:<\/p>\n<p>&#8220;Identity is now the primary attack surface: compromise happens at the authentication layer, not the infrastructure layer.<\/p>\n<p>&#8220;Tokens are the new persistence mechanism: OAuth tokens allow attackers to maintain access without repeated logins or password reuse.<\/p>\n<p>&#8220;Post-authentication activity is where risk lives: once inside, attackers can move laterally, access sensitive data and blend in with normal behaviour.<\/p>\n<p>&#8220;Native features are being weaponised: device code authentication and OAuth flows are designed for usability but can be exploited when not properly controlled.<\/p>\n<p>&#8220;Combined with AI-generated lures and dynamic code generation to exploit the full 15-minute token validity window, this campaign shifted from manual scripts to a fully automated, AI-driven attack chain.<\/p>\n<p>&#8220;The broader pattern is clear: if an attacker has valid access, traditional security controls are often insufficient.<\/p>\n<p>&#8220;Security teams should think about response in two layers: containment and continuous risk reduction.<\/p>\n<p>&#8220;Start by reducing active exposure:<\/p>\n<p>&#8220;Restrict or disable device code authentication where it is not required. Block the device code authentication flow through Conditional Access for users who do not need it. This is the primary preventive control for this class of attack. Phishing-resistant MFA, such as passkeys and FIDO keys, reduces the risk of credential phishing but does not prevent device code flow abuse. Revoke active sessions and invalidate refresh tokens if compromise is suspected. Reset credentials for impacted or high-risk users.<\/p>\n<p>&#8220;Also monitor for suspicious inbox rules, abnormal Microsoft Graph API activity and unexpected device registrations.<\/p>\n<p>&#8220;These steps help contain active threats but do not address the root issue. To prevent recurrence, organisations need to focus on how access is granted, used and extended across SaaS environments:<\/p>\n<p>&#8220;Validate identity and access continuously. Understand who has access, including non-human identities, how they authenticated through OAuth, device code or SSO, and whether that access aligns with least privilege.<\/p>\n<p>&#8220;Monitor post-authentication behaviour. Look beyond login events and focus on token usage patterns, API activity tied to data access, and changes to configurations or permissions.<\/p>\n<p>&#8220;Control OAuth and application access. OAuth integrations introduce significant risk. Audit connected applications and their scopes, remove unused or overly permissive integrations and restrict user consent where appropriate.<\/p>\n<p>&#8220;Shift from alert-driven security to risk-based prioritisation. Focus on high-impact identity and access combinations, identify activity tied to sensitive data and reduce exposure based on business context.&#8221;<\/p>\n<p>Immediate Response<\/p>\n<p>AppOmni drew a distinction between attempted phishing, where no token is issued, and confirmed compromise, where attackers obtain valid OAuth tokens. In attempted cases, it advised organisations to educate affected users, review recent authentication activity for device code usage and tighten access policies.<\/p>\n<p>For confirmed compromises, it recommended revoking sessions, invalidating tokens, forcing reauthentication, removing unauthorised devices and inbox rules, and auditing for new authenticator app or multi-factor authentication registrations. It also advised investigating Microsoft Graph API activity for evidence of data access.<\/p>\n<p>The guidance highlights a wider issue for security teams: controls focused only on the login step may miss abuse that happens after authentication. Organisations should pay closer attention to how identities authenticate, how tokens are used and what connected applications can access once permission has been granted.<\/p>\n<p>Microsoft said 10 to 15 distinct campaigns have launched every 24 hours since mid-March, with hundreds of organisations compromised each day.<\/p>\n","protected":false},"excerpt":{"rendered":"AppOmni&#8217;s threat hunting team has identified both attempted and successful EvilToken device code phishing activity across Microsoft 365&hellip;\n","protected":false},"author":2,"featured_media":370485,"comment_status":"","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[6],"tags":[187361,63765,193802,15747,193801,111612,15742,1510,112989,16066,193800,17617,178098,28055,69515,19582,99520,193798,101403,111,139,69,193799,1460,185694,111609,145,112987,139241],"class_list":{"0":"post-370484","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-technology","8":"tag-active-directory","9":"tag-application-security","10":"tag-appomni","11":"tag-authentication","12":"tag-authorisation","13":"tag-business-email-compromise","14":"tag-cloud-security","15":"tag-cybersecurity","16":"tag-email-security","17":"tag-enterprise-security","18":"tag-fido2","19":"tag-generative-ai-genai","20":"tag-identity-and-access-management-iam","21":"tag-identity-security","22":"tag-infosec","23":"tag-large-language-models-llms","24":"tag-microsoft-365","25":"tag-microsoft-cloud","26":"tag-multi-factor-authentication-mfa","27":"tag-new-zealand","28":"tag-newzealand","29":"tag-nz","30":"tag-oauth","31":"tag-phishing","32":"tag-security-operations-centres-socs","33":"tag-spear-phishing","34":"tag-technology","35":"tag-threat-intelligence","36":"tag-zero-trust-security"},"_links":{"self":[{"href":"https:\/\/www.newsbeep.com\/nz\/wp-json\/wp\/v2\/posts\/370484","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.newsbeep.com\/nz\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.newsbeep.com\/nz\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.newsbeep.com\/nz\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.newsbeep.com\/nz\/wp-json\/wp\/v2\/comments?post=370484"}],"version-history":[{"count":0,"href":"https:\/\/www.newsbeep.com\/nz\/wp-json\/wp\/v2\/posts\/370484\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.newsbeep.com\/nz\/wp-json\/wp\/v2\/media\/370485"}],"wp:attachment":[{"href":"https:\/\/www.newsbeep.com\/nz\/wp-json\/wp\/v2\/media?parent=370484"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.newsbeep.com\/nz\/wp-json\/wp\/v2\/categories?post=370484"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.newsbeep.com\/nz\/wp-json\/wp\/v2\/tags?post=370484"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}