New, from me: Hackers linked to Russia’s military intelligence units are using known flaws in older Internet routers to mass harvest authentication tokens from Microsoft Office users, security experts warned today. The spying campaign allowed state-backed Russian hackers to quietly siphon authentication tokens from users on more than 18,000 networks without deploying any malicious software or code.

https://krebsonsecurity.com/2026/04/russia-hacked-routers-to-steal-microsoft-office-tokens/

After the EvilTokens PhaaS made some headlines last week for being able to phish M365 device codes, Push Security says there's actually 10 of these phishing kits used in the wild... a new rising trend, with device code phishing going up by 37.5 times this year

https://pushsecurity.com/blog/device-code-phishing#id-what-were-seeing-in-the-wild_id-sharefile

(pushsecurity.com) Device Code Phishing Enters Mainstream Adoption: 10 Active Kits, PhaaS Proliferation, and the Bypass of All Authentication Controls

Device code phishing has surged 37.5x, becoming a mainstream criminal attack vector—bypassing MFA, passkeys, and all authentication controls via OAuth 2.0 Device Authorization Grant abuse.

In brief - Ten phishing kits, including the PhaaS EvilTokens, now weaponize this technique. Russia-linked Storm-2372 and Scattered Lapsus$ Hunters are actively targeting Microsoft 365 and Salesforce. Block device code flows via Conditional Access and monitor for anomalous token grants.

Technically - Attackers initiate an unauthenticated POST to the device authorization endpoint, phish victims to enter the user_code on a legitimate page, then poll for tokens. Kits like EvilTokens (Railway/Cloudflare Workers) abuse first-party Microsoft apps (FOCI-enabled) to harvest Primary Refresh Tokens. Mitigate by pre-creating service principals, enforcing user assignment, and deploying browser-level detection for device_code polling loops.

Source: https://pushsecurity.com/blog/device-code-phishing/

#Cybersecurity #ThreatIntel