Why This Matters Now: In December 2024, a new Phishing-as-a-Service platform called EvilTokens emerged, specifically targeting Microsoft accounts. This became urgent because it democratizes sophisticated phishing attacks, making it easier for even novice attackers to compromise user credentials and gain unauthorized access to Microsoft services. As of November 2024, several high-profile organizations have reported attempted takeovers, underscoring the immediate need for robust security measures.
Understanding EvilTokens
EvilTokens is a Phishing-as-a-Service (PaaS) platform that simplifies the process of launching phishing attacks to steal Microsoft account credentials. Unlike traditional phishing attacks that require significant technical expertise, EvilTokens provides pre-built templates and tools that anyone can use to create convincing phishing pages and distribute them via various channels.
How EvilTokens Works
- Template Creation: Attackers select a template that mimics a legitimate Microsoft login page. These templates are highly customizable to match the branding and design of Microsoft’s official login interface.
- Domain Setup: EvilTokens offers domain registration services or allows attackers to use existing domains. The platform ensures that the phishing page appears legitimate to users.
- Credential Harvesting: Once a user enters their credentials on the phishing page, EvilTokens captures the data and stores it in a secure database accessible to the attacker.
- Account Takeover: With the stolen credentials, attackers can log into the victim’s Microsoft account, gaining access to email, Office 365, and other services.
Timeline of Events
First reports of phishing attempts using EvilTokens.
EvilTokens launches publicly, offering full service to attackers.
Several high-profile organizations report successful takeovers.
Technical Details
OAuth Flow Vulnerabilities
One of the primary vulnerabilities exploited by EvilTokens is the OAuth authorization flow. Attackers use OAuth to request permissions from users and obtain access tokens, which they can then use to perform actions on behalf of the user.
Incorrect OAuth Implementation
Here’s an example of an incorrect OAuth implementation that could be exploited:
// Incorrect OAuth implementation
const express = require('express');
const app = express();
const passport = require('passport');
const OAuth2Strategy = require('passport-oauth2').Strategy;
passport.use(new OAuth2Strategy({
authorizationURL: 'https://login.microsoftonline.com/common/oauth2/v2.0/authorize',
tokenURL: 'https://login.microsoftonline.com/common/oauth2/v2.0/token',
clientID: 'YOUR_CLIENT_ID',
clientSecret: 'YOUR_CLIENT_SECRET',
callbackURL: 'http://yourapp.com/auth/microsoft/callback'
},
function(accessToken, refreshToken, profile, cb) {
User.findOrCreate({ microsoftId: profile.id }, function (err, user) {
return cb(err, user);
});
}));
app.get('/auth/microsoft',
passport.authenticate('oauth2'));
app.get('/auth/microsoft/callback',
passport.authenticate('oauth2', { failureRedirect: '/login' }),
function(req, res) {
// Successful authentication, redirect home.
res.redirect('/');
});
app.listen(3000);
Correct OAuth Implementation
Here’s how to fix the above code:
// Correct OAuth implementation
const express = require('express');
const app = express();
const passport = require('passport');
const OAuth2Strategy = require('passport-oauth2').Strategy;
const crypto = require('crypto');
let state = crypto.randomBytes(20).toString('hex');
passport.use(new OAuth2Strategy({
authorizationURL: 'https://login.microsoftonline.com/common/oauth2/v2.0/authorize',
tokenURL: 'https://login.microsoftonline.com/common/oauth2/v2.0/token',
clientID: 'YOUR_CLIENT_ID',
clientSecret: 'YOUR_CLIENT_SECRET',
callbackURL: 'http://yourapp.com/auth/microsoft/callback',
state: state
},
function(accessToken, refreshToken, profile, cb) {
User.findOrCreate({ microsoftId: profile.id }, function (err, user) {
return cb(err, user);
});
}));
app.get('/auth/microsoft',
passport.authenticate('oauth2', { state: state }));
app.get('/auth/microsoft/callback',
passport.authenticate('oauth2', { failureRedirect: '/login' }),
function(req, res) {
// Successful authentication, redirect home.
res.redirect('/');
});
app.listen(3000);
Phishing Page Design
EvilTokens provides pre-built phishing pages that closely resemble Microsoft’s official login interface. Here’s an example of a phishing page URL:
https://login.microsoftonline.com/login.srf?response_type=code&client_id=YOUR_CLIENT_ID&redirect_uri=http%3A%2F%2Feviltokens.com%2Fcallback&state=STATE&scope=openid%20profile%20email
Credential Harvesting
Once a user enters their credentials on the phishing page, EvilTokens captures the data and stores it securely. Here’s an example of how credentials might be captured:
// Example of credential harvesting
app.post('/login', (req, res) => {
const username = req.body.username;
const password = req.body.password;
// Store credentials in a database
storeCredentials(username, password);
// Redirect to a thank you page
res.redirect('/thankyou');
});
function storeCredentials(username, password) {
// Store credentials securely
// Example: db.insert({ username, password });
}
Account Takeover
With the stolen credentials, attackers can log into the victim’s Microsoft account and perform various actions. Here’s an example of how an attacker might use the access token:
// Example of using access token to access Microsoft Graph API
const axios = require('axios');
async function getProfile(accessToken) {
try {
const response = await axios.get('https://graph.microsoft.com/v1.0/me', {
headers: {
'Authorization': `Bearer ${accessToken}`
}
});
console.log(response.data);
} catch (error) {
console.error(error);
}
}
getProfile('STOLEN_ACCESS_TOKEN');
Mitigation Strategies
Multi-Factor Authentication (MFA)
Implementing MFA adds an extra layer of security, making it much harder for attackers to gain unauthorized access. Here’s how to enable MFA for Microsoft accounts:
- Sign in to your Microsoft account.
- Go to Security settings.
- Enable MFA and follow the prompts to set up your preferred method (e.g., phone number, authenticator app).
Regular Audits
Regularly audit your OAuth implementations to identify and fix vulnerabilities. Here’s an example of an audit checklist:
- Check if the state parameter is validated
- Ensure that access tokens are stored securely
- Review OAuth scopes to ensure they are necessary
- Implement logging and monitoring for suspicious activity
Educate Users
Educating users about phishing risks is crucial in preventing successful attacks. Here are some tips to share with your users:
- Be cautious of unsolicited emails and messages.
- Verify the domain before clicking on links.
- Use strong, unique passwords.
- Enable MFA on all accounts.
Comparison of Security Measures
| Approach | Pros | Cons | Use When |
|---|---|---|---|
| MFA | Adds extra security | May inconvenience users | All accounts |
| Regular Audits | Identifies vulnerabilities | Requires time and resources | Production environments |
| User Education | Reduces risk of successful attacks | Continuous effort required | All users |
Quick Reference
📋 Quick Reference
enableMFA()- Enables Multi-Factor Authentication for an accountauditOAuth()- Performs a security audit of OAuth implementationseducateUsers()- Provides training on phishing prevention
Conclusion
EvilTokens represents a significant threat to Microsoft account security. By understanding how it works and implementing robust security measures, you can protect your applications and users from unauthorized access. Enable MFA, conduct regular audits, and educate your users to stay ahead of phishing attacks.
🎯 Key Takeaways
- EvilTokens is a new Phishing-as-a-Service platform targeting Microsoft accounts
- Implement Multi-Factor Authentication to enhance security
- Regularly audit your OAuth implementations to identify vulnerabilities
- Educate users about phishing risks to reduce successful attacks
