EvilTokens Scales AI-Driven Microsoft 365 Token Phishing via Device Code OAuth
The phishing-as-a-service platform EvilTokens sharply expanded attacks against Microsoft 365 accounts by abusing Microsoft’s legitimate device code OAuth flow to steal access tokens after victims completed real Microsoft logins and multi-factor authentication. Huntress reported a 1,380% increase in device code phishing activity between late 2025 and early 2026, with campaigns affecting hundreds of organizations. The operation used AI-generated personalized phishing lures and automated post-compromise analysis to support follow-on business email compromise, while relying on legitimate cloud services including Railway, BL Networks/BitLaunch, and Cloudflare Workers to blend in with normal traffic.
EvilTokens was marketed openly on Telegram as a subscription service priced from $600 to $1,500, lowering the barrier for less sophisticated criminals to launch token-theft campaigns that can bypass MFA protections. Huntress said 57.5% of observed attacks were tied to Railway or BL Networks infrastructure, and that blocking Railway IP addresses through Conditional Access prevented more than 600 incidents before attackers shifted hosting. Defenders were urged to restrict or block device code authentication where possible, review sign-in logs for suspicious Railway-originated authentications, revoke stolen tokens, audit Microsoft Graph API activity, and update user awareness training because genuine Microsoft login pages can still be part of a phishing attack.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
3 events from the most recent confirmed update back to the earliest known activity.
Defenders block Railway IPs to stop over 600 incidents
Huntress said that blocking Railway IP addresses through Conditional Access prevented more than 600 incidents before attackers shifted to other infrastructure. The report also linked 57.5% of observed attacks to Railway or BL Networks/BitLaunch.
Huntress observes surge in device code phishing attacks
Huntress reported a 1,380% increase in device code phishing attacks between July–December 2025 and January–April 2026. The activity affected hundreds of organizations and was tied to EvilTokens' use of Microsoft's legitimate device code OAuth flow to steal Microsoft 365 access tokens after real logins and MFA.
EvilTokens markets phishing service on Telegram
The EvilTokens phishing-as-a-service platform was advertised on Telegram with subscription pricing starting at $600, lowering the barrier to entry for token-theft and phishing operations.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
2 references tracked. Mallory keeps watching after this page renders.
See the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
EvilTokens Turns Microsoft Device Code Phishing Into a Scalable Account Takeover Service
Researchers identified **EvilTokens** as a new phishing-as-a-service platform built to hijack **Microsoft 365** accounts by abusing Microsoft’s legitimate OAuth 2.0 **device code** authentication flow. Sold and operated through Telegram bots, the service gives affiliates phishing templates, email harvesting and reconnaissance features, automated Microsoft API interactions, webmail access, and mailbox triage capabilities. Victims are lured into entering attacker-supplied device codes on Microsoft’s real login page, allowing attackers to capture access and refresh tokens—and in some cases a **Primary Refresh Token**—without stealing passwords or directly defeating MFA. Security teams linked a sharp rise in device code phishing to EvilTokens, describing it as the first known turnkey PhaaS offering dedicated Microsoft device code phishing pages and warning that it lowers the barrier for low-skill operators. More than **1,000 phishing domains** were observed by late March, with campaigns affecting organizations worldwide and notable activity in the United States, Australia, Canada, France, India, Switzerland, and the United Arab Emirates; finance, HR, and transportation/logistics staff were highlighted as frequent targets. Researchers from Sekoia and Mnemonic urged defenders to disable or restrict unnecessary device code flows in **Microsoft Entra ID**, monitor device code grant sign-ins for anomalies, train users on device authentication abuse, and revoke refresh tokens when compromise is suspected.
Apr 4, 2026
EvilTokens Device Code Phishing Captured Microsoft Session Tokens at Scale
Huntress reported that the **EvilTokens** phishing-as-a-service operation used Microsoft’s legitimate device code authentication flow to steal valid session tokens from users without capturing passwords or directly breaking MFA. The campaign accelerated in early March after initial alerts in late February and affected **344 organizations across five countries over 16 days**. According to Huntress and Microsoft, the operation relied on trusted cloud infrastructure hosted on Railway and phishing lures tailored to victims’ normal workflows, allowing the activity to blend in with legitimate sign-in behavior. Researchers said EvilTokens is marketed on Telegram and uses **AI-enhanced phishing** to personalize messages, evade email filtering, identify financially valuable targets, and automate follow-on fraud using context taken from compromised accounts. Because the emails, URLs, and authentication steps appeared legitimate, traditional email defenses often failed to stop the attacks. Huntress recommended behavior-based detection, stricter Conditional Access policies, monitoring for suspicious device registrations, rapid token revocation, and wider adoption of phishing-resistant MFA such as **FIDO2** security keys and passkeys.
Jun 1, 2026
AI-Driven Microsoft 365 Device Code Phishing Abused Railway to Steal OAuth Tokens
Huntress reported a large phishing operation that used **Railway** cloud infrastructure to compromise Microsoft 365 accounts at hundreds of organizations by abusing Microsoft's legitimate device authorization flow. The campaign harvested and replayed OAuth access and refresh tokens, allowing attackers to maintain access for up to 90 days without needing victims' passwords and in many cases without being stopped by MFA. Researchers identified at least **344-350 victim organizations** across the U.S., Canada, Australia, New Zealand, and Germany, with activity accelerating sharply in early March and continuing at a rate of more than 50 compromises per day even after initial disruption efforts. The operation used highly varied, likely **AI-generated** lures delivered through email, QR codes, file-share themes, compromised websites, multi-hop redirects, and `workers.dev` pages to evade filtering and scale quickly. Huntress linked the activity to the **EvilTokens** phishing-as-a-service platform, which advertised Office 365 capture links, SMTP delivery, B2B sender services, AI-assisted phishing workflows, and open redirects. In response, Huntress pushed Conditional Access protections to about **60,000 Microsoft cloud tenants**, blocked additional attack attempts, and urged defenders to prioritize identity-layer monitoring, token revocation, blocking Railway-owned infrastructure, restricting device code authentication, and enabling **Continuous Access Evaluation**.
Apr 6, 2026