Outlook Calendar Invite Phishing Campaign (EvilTokens) Steals M365 Session Tokens, Bypasses MFA
What Happened — Attackers are leveraging malicious Outlook calendar invites together with the publicly‑available EvilTokens kit to harvest Microsoft 365 device‑code tokens. The stolen tokens grant persistent access to user sessions, effectively bypassing multi‑factor authentication (MFA).
Why It Matters for TPRM —
- Session‑token theft circumvents MFA, exposing all SaaS workloads tied to a compromised M365 account.
- A single compromised account can be used to pivot to other cloud services (SharePoint, Teams, Power BI), amplifying risk.
- The EvilTokens kit is open‑source, lowering the barrier for opportunistic threat actors and increasing the probability of widespread abuse.
Who Is Affected — Enterprises of any industry that rely on Microsoft 365 for email, calendar, and collaboration.
Recommended Actions —
- Enforce Conditional Access policies that restrict device‑code OAuth flows to trusted IP ranges or require additional verification.
- Deploy anti‑phishing solutions that inspect calendar invite payloads and block suspicious URLs.
- Conduct user awareness training focused on verifying unexpected meeting requests and avoiding “click‑to‑join” links.
- Monitor Azure AD sign‑in logs for anomalous device‑code token requests and enable Microsoft Defender for Cloud Apps alerts.
Technical Notes — Attack vector: phishing via Outlook calendar invites; exploitation of the OAuth 2.0 device‑code flow to obtain session tokens; no specific CVE involved. Data at risk includes authentication tokens, email content, and any files shared through compromised sessions. Source: HackRead