EvilTokens Device Code Phishing Captured Microsoft Session Tokens at Scale
Huntress reported that the EvilTokens phishing-as-a-service operation used Microsoft’s legitimate device code authentication flow to steal valid session tokens from users without capturing passwords or directly breaking MFA. The campaign accelerated in early March after initial alerts in late February and affected 344 organizations across five countries over 16 days. According to Huntress and Microsoft, the operation relied on trusted cloud infrastructure hosted on Railway and phishing lures tailored to victims’ normal workflows, allowing the activity to blend in with legitimate sign-in behavior.
Researchers said EvilTokens is marketed on Telegram and uses AI-enhanced phishing to personalize messages, evade email filtering, identify financially valuable targets, and automate follow-on fraud using context taken from compromised accounts. Because the emails, URLs, and authentication steps appeared legitimate, traditional email defenses often failed to stop the attacks. Huntress recommended behavior-based detection, stricter Conditional Access policies, monitoring for suspicious device registrations, rapid token revocation, and wider adoption of phishing-resistant MFA such as FIDO2 security keys and passkeys.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
6 events from the most recent confirmed update back to the earliest known activity.
Huntress publishes EvilTokens campaign analysis and mitigations
Huntress published its analysis of the EvilTokens campaign, concluding that traditional email defenses were ineffective because the emails, URLs, authentication flows, and infrastructure appeared legitimate. The report recommended behavior-based detection, stricter conditional access controls, monitoring for suspicious device registrations, token revocation, and phishing-resistant MFA such as FIDO2 and passkeys.
Huntress and Microsoft assess EvilTokens as PhaaS platform
Huntress and Microsoft assessed EvilTokens as a phishing-as-a-service offering sold on Telegram that uses AI to tailor lures, evade filters, identify financial targets, and automate follow-on fraud using victim context.
Sekoia details EvilTokens AI-driven post-compromise BEC tooling
Sekoia published an analysis of EvilTokens describing its device-code phishing kit, centralized affiliate panel, Portal Browser, Telegram/NOWPayments sales workflow, and cloud-hosted phishing infrastructure. The report highlighted AI-assisted post-compromise automation using Microsoft Graph reconnaissance and LLM prompts to rapidly prepare tailored BEC fraud, which Sekoia assessed as a novel capability for a PhaaS platform.
EvilTokens campaign escalates in early March
In early March, the device code phishing campaign expanded significantly, using legitimate Microsoft device code authentication flows and Railway-hosted infrastructure to capture valid session tokens. Huntress said the activity ultimately affected 344 organizations across five countries over a 16-day period.
Second wave of EvilTokens alerts detected
Additional EvilTokens-related alerts were observed on February 24, indicating continued campaign activity before the larger escalation in March.
Initial EvilTokens phishing alerts observed
Huntress reported initial alerts tied to the EvilTokens device code phishing campaign on February 19, marking the earliest observed activity referenced in the report.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
5 references tracked. Mallory keeps watching after this page renders.
EvilTokens and OAuth Abuse: How Device Code Phishing Bypasses MFA
netcraft.com
Open sourceUusi aalto M365-tietojenkalastelussa - AI‑avusteinen laitekoodin kalastelukampanja | Traficom
kyberturvallisuuskeskus.fi
Open sourceHow EvilTokens Turbocharges Old School Phishing with AI | Huntress
huntress.com
Open sourceEvilTokens: an AI-augmented phishing kit for automating BEC fraud
blog.sekoia.io
Open sourceNew EvilTokens service fuels Microsoft device code phishing attacks
linkedin.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
EvilTokens Turns Microsoft Device Code Phishing Into a Scalable Account Takeover Service
Researchers identified **EvilTokens** as a new phishing-as-a-service platform built to hijack **Microsoft 365** accounts by abusing Microsoft’s legitimate OAuth 2.0 **device code** authentication flow. Sold and operated through Telegram bots, the service gives affiliates phishing templates, email harvesting and reconnaissance features, automated Microsoft API interactions, webmail access, and mailbox triage capabilities. Victims are lured into entering attacker-supplied device codes on Microsoft’s real login page, allowing attackers to capture access and refresh tokens—and in some cases a **Primary Refresh Token**—without stealing passwords or directly defeating MFA. Security teams linked a sharp rise in device code phishing to EvilTokens, describing it as the first known turnkey PhaaS offering dedicated Microsoft device code phishing pages and warning that it lowers the barrier for low-skill operators. More than **1,000 phishing domains** were observed by late March, with campaigns affecting organizations worldwide and notable activity in the United States, Australia, Canada, France, India, Switzerland, and the United Arab Emirates; finance, HR, and transportation/logistics staff were highlighted as frequent targets. Researchers from Sekoia and Mnemonic urged defenders to disable or restrict unnecessary device code flows in **Microsoft Entra ID**, monitor device code grant sign-ins for anomalies, train users on device authentication abuse, and revoke refresh tokens when compromise is suspected.
Apr 4, 2026
AI-Driven Microsoft 365 Device Code Phishing Abused Railway to Steal OAuth Tokens
Huntress reported a large phishing operation that used **Railway** cloud infrastructure to compromise Microsoft 365 accounts at hundreds of organizations by abusing Microsoft's legitimate device authorization flow. The campaign harvested and replayed OAuth access and refresh tokens, allowing attackers to maintain access for up to 90 days without needing victims' passwords and in many cases without being stopped by MFA. Researchers identified at least **344-350 victim organizations** across the U.S., Canada, Australia, New Zealand, and Germany, with activity accelerating sharply in early March and continuing at a rate of more than 50 compromises per day even after initial disruption efforts. The operation used highly varied, likely **AI-generated** lures delivered through email, QR codes, file-share themes, compromised websites, multi-hop redirects, and `workers.dev` pages to evade filtering and scale quickly. Huntress linked the activity to the **EvilTokens** phishing-as-a-service platform, which advertised Office 365 capture links, SMTP delivery, B2B sender services, AI-assisted phishing workflows, and open redirects. In response, Huntress pushed Conditional Access protections to about **60,000 Microsoft cloud tenants**, blocked additional attack attempts, and urged defenders to prioritize identity-layer monitoring, token revocation, blocking Railway-owned infrastructure, restricting device code authentication, and enabling **Continuous Access Evaluation**.
Apr 6, 2026
Microsoft phishing campaign stole auth tokens from 35,000 users
Microsoft disclosed a large-scale phishing campaign that targeted more than **35,000 users** at over **13,000 organizations** across **26 countries**, with most victims in the United States and concentrations in healthcare, life sciences, financial services, professional services, and technology. The operation used code-of-conduct and compliance-themed emails delivered through legitimate email services, including abuse of platforms such as Amazon SES, to make messages appear trustworthy and help them pass common email authentication checks. Victims received PDF attachments containing links that led through fake CAPTCHA and document-review pages before landing on spoofed Microsoft sign-in portals. Microsoft said the attackers used an **adversary-in-the-middle** phishing flow to capture credentials and authentication tokens in real time, allowing them to bypass weak multifactor authentication and gain immediate account access. The company described the activity as one of the most sophisticated code-of-conduct-themed credential theft campaigns it has observed and said it reflects broader trends including CAPTCHA-gated phishing, QR-code phishing, and phishing-as-a-service ecosystems such as **Tycoon 2FA**, **Kratos**, and **EvilTokens**. Microsoft urged organizations to strengthen defenses with Defender for Office 365, SmartScreen-enabled browsers, phishing awareness training, stronger authentication, conditional access policies, and automated attack disruption in Defender XDR.
May 5, 2026