Security researchers at ESET warn of a new generation of phishing attacks

IT security firm ESET warns of a new attack method that marks a fundamental shift in phishing. Instead of stealing passwords or using fake login pages, cybercriminals are exploiting legitimate login processes on major platforms such as Microsoft and can even target users with two-factor authentication enabled.

Anyone who watches out for suspicious emails and fake websites is no longer automatically on the safe side. A recent example is the attack campaign known as “EvilTokens”. In this scheme, users are redirected to genuine Microsoft pages and tricked into entering a login code or confirming a login. What looks like a standard authentication process actually grants the attackers access to the account.

Phishing is evolving from password theft to identity theft

For many years, phishing followed a similar pattern: criminals attempted to lure users to fake websites to steal passwords or credit card details. Modern security mechanisms and greater user awareness have made such attacks significantly more difficult. In response, cybercriminals are changing their tactics. Instead of stealing login credentials, they are increasingly tricking their victims into granting access rights or authorising logins themselves.

“We are currently witnessing an evolution in phishing. Previously, attackers tried to steal passwords. Today, they trick their victims into granting access themselves. This turns the user from a target into a tool of the attack,” explains Philipp Plum, security expert at ESET.

According to Microsoft, multi-factor authentication blocks more than 99 per cent of automated attacks on user accounts. This is precisely why cybercriminals are increasingly looking for ways to persuade users to actively grant access rights.

Genuine sign-in, genuine login, genuine fraud

What is particularly insidious about the current wave of attacks is that victims do not visit fake websites. Instead, the login takes place via official Microsoft services. To this end, cybercriminals send emails or messages containing references to supposedly important documents, approvals or notifications. Recipients are asked to enter a code or confirm a login.

The key difference from classic phishing attacks: the code is not associated with a user action, but with a session previously initiated by the attacker. By confirming, the victim unwittingly authorises the criminal’s access.

Security researchers from Sekoia, Microsoft and Huntress have reported a growing number of such campaigns in recent months. According to Huntress, several hundred organisations have already been affected. Attacks have been observed in the US, Canada, Australia, New Zealand and Germany, amongst other places.

Why even two-factor authentication is not always enough

This method demonstrates that modern cyberattacks increasingly rely on manipulating people rather than exploiting technical vulnerabilities. As the authorisation is granted by the legitimate user, the system treats the transaction as authorised. This allows attackers to obtain valid access tokens and access emails, files or other cloud services without ever knowing the password.

“Many security policies are based on the assumption that fake websites or stolen passwords pose the greatest threat. EvilTokens shows that attackers are now abusing legitimate services and deliberately exploiting users’ trust in familiar platforms,” says Plum.

How users can protect themselves

ESET recommends that users always question unexpected requests to enter login or device codes. Users should check why authentication is required and which application is to be granted access to their account.

Particular caution is advised when messages create a sense of urgency or demand immediate confirmation. If in doubt, users should cancel the request and contact the supposed sender via a known communication channel.

Companies should regularly raise their employees’ awareness of modern phishing methods. Because the most important rule has changed: not every genuine login page automatically means that the request behind it is legitimate.