EvilTokens Turns Microsoft Device Code Phishing Into a Scalable Account Takeover Service
Researchers identified EvilTokens as a new phishing-as-a-service platform built to hijack Microsoft 365 accounts by abusing Microsoft’s legitimate OAuth 2.0 device code authentication flow. Sold and operated through Telegram bots, the service gives affiliates phishing templates, email harvesting and reconnaissance features, automated Microsoft API interactions, webmail access, and mailbox triage capabilities. Victims are lured into entering attacker-supplied device codes on Microsoft’s real login page, allowing attackers to capture access and refresh tokens—and in some cases a Primary Refresh Token—without stealing passwords or directly defeating MFA.
Security teams linked a sharp rise in device code phishing to EvilTokens, describing it as the first known turnkey PhaaS offering dedicated Microsoft device code phishing pages and warning that it lowers the barrier for low-skill operators. More than 1,000 phishing domains were observed by late March, with campaigns affecting organizations worldwide and notable activity in the United States, Australia, Canada, France, India, Switzerland, and the United Arab Emirates; finance, HR, and transportation/logistics staff were highlighted as frequent targets. Researchers from Sekoia and Mnemonic urged defenders to disable or restrict unnecessary device code flows in Microsoft Entra ID, monitor device code grant sign-ins for anomalies, train users on device authentication abuse, and revoke refresh tokens when compromise is suspected.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
7 events from the most recent confirmed update back to the earliest known activity.
Push Security reports 37.5x surge in device code phishing and 11 active kits
On 2026-04-04, Push Security reported that device code phishing attacks abusing OAuth 2.0 Device Authorization Grant had increased 37.5 times in 2026. The researchers said EvilTokens was a major driver but identified at least 11 phishing kits using SaaS-themed lures, anti-bot protections, and cloud-hosted infrastructure, indicating broader criminal adoption of the technique.
EvilTokens author plans Gmail and Okta phishing support
By 2026-04-01, Sekoia reported that EvilTokens was under active development and that its author planned to add phishing pages targeting Gmail and Okta. This marked an expansion of the platform beyond Microsoft 365-focused device code phishing.
Public reporting warns of EvilTokens-driven rise in device code phishing
On 2026-03-31, public reports disclosed EvilTokens as a new phishing-as-a-service platform and warned of a notable increase in Microsoft 365 device code phishing tied to the toolkit. The reporting also shared mitigations such as restricting device code flows, monitoring sign-ins, and revoking refresh tokens after suspected compromise.
More than 1,000 EvilTokens phishing domains observed
By 2026-03-23, researchers had observed more than 1,000 phishing domains associated with EvilTokens. Reported targeting included organizations in the United States, Australia, Canada, France, India, Switzerland, and the United Arab Emirates.
Researchers identify and analyze EvilTokens activity
In March 2026, Sekoia's Threat Detection and Research team identified EvilTokens and, together with Mnemonic, assessed that it was helping scale device code phishing into a broader threat. Sekoia also assessed with high confidence that the platform's backend code was likely AI-generated.
EvilTokens campaigns spread globally via Telegram-operated infrastructure
By March 2026, EvilTokens was being operated through Telegram bots and used in campaigns targeting organizations worldwide, with tooling for phishing templates, reconnaissance, webmail access, and automation. The activity was linked to increased device code phishing against Microsoft 365 users, particularly affecting sectors such as finance, HR, and transportation/logistics.
EvilTokens PhaaS emerges targeting Microsoft 365 device code flow
In early 2026, EvilTokens emerged as a phishing-as-a-service platform built to hijack Microsoft 365 accounts by abusing Microsoft's legitimate OAuth 2.0 device code authentication flow. Researchers described it as the first known turnkey PhaaS offering dedicated Microsoft device code phishing pages.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
8 references tracked. Mallory keeps watching after this page renders.
Upswell of device code phishing intrusions reported | brief | SC Media
scworld.com
Open sourceDevice code phishing attacks surge 37x as new kits spread online
bleepingcomputer.com
Open sourceRansomware intrusion compromises North Dakota water treatment facility | brief | SC Media
scworld.com
Open sourceDrift Protocol estimated to have lost $285M in crypto heist | brief | SC Media
scworld.com
Open sourceGlobal Microsoft device code phishing facilitated by novel EvilTokens kit | brief | SC Media
scworld.com
Open sourceNew EvilTokens service fuels Microsoft device code phishing attacks
bleepingcomputer.com
Open sourceEvilTokens Emerges as New Phishing-as-a-Service Platform for Microsoft Account Takeover
cybersecuritynews.com
Open sourceEvilTokens ramps up device code phishing targeting Microsoft 365 users - Help Net Security
helpnetsecurity.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
EvilTokens Device Code Phishing Captured Microsoft Session Tokens at Scale
Huntress reported that the **EvilTokens** phishing-as-a-service operation used Microsoft’s legitimate device code authentication flow to steal valid session tokens from users without capturing passwords or directly breaking MFA. The campaign accelerated in early March after initial alerts in late February and affected **344 organizations across five countries over 16 days**. According to Huntress and Microsoft, the operation relied on trusted cloud infrastructure hosted on Railway and phishing lures tailored to victims’ normal workflows, allowing the activity to blend in with legitimate sign-in behavior. Researchers said EvilTokens is marketed on Telegram and uses **AI-enhanced phishing** to personalize messages, evade email filtering, identify financially valuable targets, and automate follow-on fraud using context taken from compromised accounts. Because the emails, URLs, and authentication steps appeared legitimate, traditional email defenses often failed to stop the attacks. Huntress recommended behavior-based detection, stricter Conditional Access policies, monitoring for suspicious device registrations, rapid token revocation, and wider adoption of phishing-resistant MFA such as **FIDO2** security keys and passkeys.
Jun 1, 2026
Tycoon2FA Adds OAuth Device-Code Phishing for Microsoft 365 Accounts
The **Tycoon2FA** phishing-as-a-service platform has resurfaced after a law enforcement disruption and is now using **OAuth 2.0 device authorization grant** abuse to compromise **Microsoft 365** accounts protected by multifactor authentication. According to eSentire, the campaign begins with lure emails carrying **Trustifi** click-tracking URLs and guides victims through a multi-stage redirection chain, including a fake Microsoft CAPTCHA page, before directing them to Microsoft’s legitimate device login portal at `microsoft.com/devicelogin`. Rather than exploiting a software flaw or directly bypassing MFA, the operation relies on social engineering to convince users to enter a device code and approve token issuance for an attacker-controlled device, giving the threat actor OAuth tokens for account access. Researchers said the kit retains much of the four-layer in-browser delivery chain seen in earlier Tycoon2FA variants while adding anti-analysis measures to hinder researchers and scanners; recommended defenses include disabling device-code flow where it is not needed, tightening OAuth consent controls, and increasing monitoring of Microsoft Entra logs.
May 27, 2026
Microsoft phishing campaign stole auth tokens from 35,000 users
Microsoft disclosed a large-scale phishing campaign that targeted more than **35,000 users** at over **13,000 organizations** across **26 countries**, with most victims in the United States and concentrations in healthcare, life sciences, financial services, professional services, and technology. The operation used code-of-conduct and compliance-themed emails delivered through legitimate email services, including abuse of platforms such as Amazon SES, to make messages appear trustworthy and help them pass common email authentication checks. Victims received PDF attachments containing links that led through fake CAPTCHA and document-review pages before landing on spoofed Microsoft sign-in portals. Microsoft said the attackers used an **adversary-in-the-middle** phishing flow to capture credentials and authentication tokens in real time, allowing them to bypass weak multifactor authentication and gain immediate account access. The company described the activity as one of the most sophisticated code-of-conduct-themed credential theft campaigns it has observed and said it reflects broader trends including CAPTCHA-gated phishing, QR-code phishing, and phishing-as-a-service ecosystems such as **Tycoon 2FA**, **Kratos**, and **EvilTokens**. Microsoft urged organizations to strengthen defenses with Defender for Office 365, SmartScreen-enabled browsers, phishing awareness training, stronger authentication, conditional access policies, and automated attack disruption in Defender XDR.
May 5, 2026