You’re at your desk and an email comes in from what looks like DocuSign or SharePoint. A client has shared a document that needs your review. You click the link. You land on a real Microsoft login page. You type in your email and password, complete your MFA prompt like you always do, and go back to your day.

Except now an attacker has full access to your Microsoft 365 account. Your email, your files, your Teams conversations, your SharePoint sites. Everything. And your MFA worked perfectly the entire time.

This is device code phishing, and a new phishing-as-a-service kit called EvilTokens is making it dangerously easy for criminals to pull off at scale.

How Device Code Phishing Works

Microsoft 365 supports something called the OAuth 2.0 device authorization flow. It was designed for devices that don’t have a browser, like smart TVs or conference room displays, where you log in on a separate device and enter a short code to authorize the session.

Device code phishing abuses this legitimate process. The attacker generates a device authorization request and gets a code from Microsoft. They send you a phishing email with a link that takes you to Microsoft’s real login page, where you’re asked to enter that code and sign in. Because it’s a real Microsoft page, everything looks normal. You complete your login, including MFA.

But when you finish, the access tokens and refresh tokens that Microsoft issues go to the attacker’s device, not yours. The attacker now has a valid session. They can read your email, download your files, impersonate you in Teams, and access any application connected through single sign-on. The refresh tokens can keep that access alive for days or weeks without triggering another login prompt.

Why MFA Doesn’t Stop This

This is the part that catches most people off guard. You did everything right. You used a strong password. You approved the MFA prompt. You logged in on a legitimate Microsoft page. None of that matters here.

MFA protects against stolen passwords. If someone has your password but can’t pass the second factor, they’re locked out. That’s the scenario MFA was designed for, and it works.

Device code phishing is different. You completed MFA yourself, on a real login page. The authentication succeeded. Microsoft issued session tokens. The problem is that those tokens were delivered to the attacker’s device instead of yours. MFA did its job. The attack happens after MFA, at the token level.

This is why security professionals have been pushing for phishing-resistant authentication methods like FIDO2 hardware keys. Traditional MFA (push notifications, SMS codes, authenticator apps) can’t distinguish between a legitimate device authorization and a malicious one.

What Makes EvilTokens Different

Device code phishing isn’t new. Russian threat groups including Storm-237, ShinyHunters, UTA032, and UTA0355 have used it in targeted campaigns for the past couple of years. What’s changed is the barrier to entry.

EvilTokens, documented by Sekoia researchers in April 2026, is a phishing-as-a-service kit sold on Telegram. It comes with pre-built phishing templates that impersonate DocuSign, Adobe Acrobat, SharePoint, and other common business services. Lures are delivered as PDF, HTML, DOCX, XLSX, or SVG attachments containing QR codes or hyperlinks that redirect to the phishing flow.

The kit includes templates tailored to specific roles: finance, HR, logistics, sales. It’s designed to scale. The United States, Canada, France, Australia, India, Switzerland, and the UAE are the most targeted countries so far.

According to the Blackpoint Cyber 2026 report, adversary-in-the-middle phishing (the broader category that includes device code attacks) now accounts for roughly 16% of all cloud account compromises. That number is growing.

Why Iowa Law Firms Should Pay Attention

If an attacker captures tokens from one of your attorneys’ Microsoft 365 accounts, they get immediate access to privileged client communications. Attorney-client privileged emails, draft settlement documents, case strategy discussions, financial records. All of it.

From there, the playbook is predictable. The attacker monitors the mailbox for active transactions. They wait for the right moment, then insert themselves into a conversation with modified wire instructions or a convincing request for sensitive information. This is business email compromise (BEC), and it is the single most financially damaging type of cyberattack for law firms.

The difference with device code phishing is that the attacker is operating from a fully authenticated session. Email security tools that flag logins from unusual locations may not trigger, because the token-based access can look like normal API activity. The attacker doesn’t need to log in again. They already have the keys.

For a small or mid-size firm, the impact of a single compromised account can cascade quickly. Shared mailboxes, shared drives, Teams channels with client-specific discussions. One account often unlocks access to a significant portion of the firm’s data.

What to Do About It

There’s no single fix for this. But the following measures, taken together, make device code phishing significantly harder to pull off.

Deploy phishing-resistant MFA. FIDO2 security keys (like YubiKeys) are the gold standard. They bind authentication to the specific device and origin URL, which means they can’t be tricked by a device code flow. If FIDO2 keys aren’t feasible firm-wide, start with your highest-risk accounts: partners, finance staff, and anyone with access to trust accounts.

Implement conditional access policies. Microsoft Entra ID (formerly Azure AD) lets you restrict the device authorization flow entirely, or limit it to compliant, managed devices. If your firm doesn’t use the device code flow for any legitimate purpose (most firms don’t), block it.

Require device compliance. Conditional access policies that require devices to be enrolled in Intune and meet compliance standards will prevent token issuance to unknown devices. This is one of the most effective controls against this specific attack.

Monitor for unusual token activity. Your IT team or managed service provider should be watching for anomalous sign-in patterns, especially token-based access from unfamiliar locations or devices, bulk email access via API, and new inbox rules created by external sessions.

Update your security awareness training. Most phishing training still focuses on spotting fake login pages. Your team needs to understand that a real Microsoft login page can still be part of a phishing attack. Train specifically on device code phishing scenarios, including the “enter this code” prompt that should be a red flag if they didn’t initiate it.

The Bigger Picture

Phishing is evolving faster than most firms’ defenses. Attackers aren’t trying to trick you into entering your password on a fake website anymore. They’re using Microsoft’s own infrastructure against you.

MFA is still important. Keep it on everything. But treat it as one layer, not the whole strategy. Conditional access, device compliance, phishing-resistant authentication, and active monitoring are what close the gaps that MFA alone can’t cover.

Wondering whether your firm is protected against device code phishing? Artech Solutions helps Iowa law firms secure their Microsoft 365 environments with conditional access policies, phishing-resistant MFA, and 24/7 threat monitoring. Let’s talk.