EvilTokens
EvilTokens is a phishing-as-a-service (PhaaS) platform and turnkey Microsoft device code phishing kit that emerged in February 2026 and was documented by Sekoia in March 2026. It is sold via Telegram and has been linked to active Microsoft 365-focused campaigns affecting more than 340 organizations across five countries. The platform abuses Microsoft OAuth device authorization flow to obtain access and refresh tokens, enabling account takeover and practical MFA bypass because victims complete authentication on Microsoft’s legitimate device login page. Reported lure themes include voicemail notifications, DocuSign and Adobe document shares, construction bids, employee benefits, and other business-themed messages. Observed EvilTokens infrastructure and delivery tradecraft include Cloudflare Workers and workers.dev landing pages, Railway-hosted components, multi-hop redirect chains, open redirects on vulnerable domains, and abuse of trusted services such as Amazon S3, Vercel, AWS Amplify, Microsoft Dynamics 365 Customer Voice, and URL rewriting services from Cisco, Mimecast, Trend Micro, and others. Reports also describe anti-bot protections and CAPTCHA gating in associated campaigns. EvilTokens has been associated with both device code phishing and broader Microsoft 365 compromise activity used for business email compromise (BEC). Sekoia reported that EvilTokens provides affiliates with a centralized administration panel for harvested Microsoft tokens, built-in Outlook-like webmail access, token management, collaborative user and role management, and a custom Portal Browser (also called ET Browser) for simultaneous access to multiple compromised Microsoft 365 accounts. The backend was reported to request tokens for Outlook, Graph, Azure, Substrate, and SharePoint, perform Microsoft Graph reconnaissance, and exchange harvested tokens for a Primary Refresh Token for persistence. Sekoia also reported AI-augmented post-compromise tooling using Groq and OpenAI APIs to analyze stolen emails, identify financial exposure, and generate tailored BEC scenarios and draft emails. Known marketed products include B2B Sender, Office 365 Capture Link, SMTP Sender, and Portal Browser. No nation-state attribution is stated in the provided content.
Know when an actor pivots toward your sector
Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.
Tradecraft
30 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.
Recent activity
13 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Phishing-as-a-service kit operationalizing device code flow phishing against Microsoft 365, using evasive delivery chains, encrypted attachments, CAPTCHA gates, Cloudflare Workers landing pages, and post-compromise BEC-oriented workflows.
Phishing-as-a-service platform conducting Microsoft 365 device code phishing at scale, using Cloudflare Workers redirects and a portal for managing compromised accounts.
Phishing-as-a-service platform packaging OAuth device code abuse into subscription-based affiliate offerings.
Phishing-as-a-Service platform using device code phishing at scale, with infrastructure obfuscation via Cloudflare Workers and tooling to manage large numbers of compromised Microsoft 365 accounts.
The version that knows your environment.
Match sector + geo + tech-stack targeting against your real footprint.
Every observed MITRE ATT&CK technique, grouped by tactic.
Families this actor is known to deploy, with IOCs and behavior.
CVEs this actor has used in known campaigns.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Domains, IPs, and hashes tied to this actor, refreshed continuously.