What New EvilTokens service fuels Microsoft device code phishing Means for Subic Bay Businesses
Photo by Tima Miroshnichenko on Pexels
A logistics company operating near the SBMA freeport got locked out of their Microsoft 365 account last quarter — not because of a weak password, but because someone on their team approved a login they thought was routine.
That's exactly the attack EvilTokens is designed to trigger, and it's now available as a packaged kit that even low-skill attackers can run.
Why Device Code Phishing Bypasses What You Already Have
This attack doesn't ask you to type a password into a fake login page. Instead, it tricks someone on your team into approving a device authentication request — the same kind Microsoft uses for printers, shared screens, or remote setups.
Your existing spam filter won't catch it. The request looks completely legitimate because it is a real Microsoft flow — just hijacked mid-session.
Once approved, the attacker holds a valid session token. They're inside your email, your Teams, your SharePoint — without ever knowing your password.
Key Insight
Session token theft is why resetting a compromised password often doesn't immediately stop an active attacker — the token stays valid until it expires or is revoked manually.
What Your Team Should Do Before This Hits
You don't need enterprise-level tools to reduce your exposure — but you do need specific actions taken now, not after an incident.
- Disable device code flow in Azure AD if you don't use shared kiosks
- Enable Conditional Access policies that flag unfamiliar token requests
- Brief staff: never approve auth codes they didn't personally initiate
- Review active Microsoft 365 sessions monthly for unknown devices
- Turn on Microsoft's sign-in risk alerts under Identity Protection
Pro Tip
Pro tip: if your Subic Bay office relies on a single IT person or shared admin account, a single approved token request can hand over access to your entire Microsoft tenant — that's a full business email compromise waiting to happen.
Keeping Your Microsoft 365 Accounts Out of Someone Else's Hands
This threat is already circulating in Southeast Asian targets, and SBMA-based firms running logistics, BPO, or port services are exactly the profile attackers look for.
Awareness alone isn't enough — your Microsoft tenant settings need to match the threat level you're actually facing.
Quick Win
Quick win: log into Microsoft 365 admin today and check for any unrecognized active sessions.
If you want a proper review of your Microsoft 365 security posture, our team at WNS5.tech is based in Olongapo and ready — visit our services page to get started.
WNS5.tech · Olongapo
Need IT support in the Philippines?
We deliver managed IT, CCTV, cloud infrastructure, MDM, and custom software for businesses across Olongapo, SBMA, and Central Luzon.