EvilTokens - New Phishing-as-a-Service Targets Microsoft Accounts

What Happened

In early 2026, a new Phishing-as-a-Service platform named EvilTokens emerged in underground cybercrime communities. This toolkit is specifically designed to target Microsoft 365 accounts, offering criminals a ready-to-use kit for account theft. Unlike traditional phishing tools that replicate Microsoft login pages, EvilTokens exploits the legitimate Microsoft device code authentication flow. This innovative approach allows attackers to gain full access to victims' accounts without raising immediate suspicion.

EvilTokens first appeared in mid-February 2026 and quickly gained traction among cybercriminals engaged in Business Email Compromise (BEC) and Adversary-in-the-Middle (AitM) attacks. The platform operates via Telegram bots and provides affiliates with various tools, including phishing page templates and email harvesting capabilities. The operator, known as eviltokensadmin, plans to expand the service to include phishing pages for Gmail and Okta in the near future.

Who's Affected

The reach of EvilTokens is extensive, impacting organizations across North America, South America, Europe, the Middle East, Asia, and Oceania. Countries like the United States, Australia, Canada, France, India, Switzerland, and the United Arab Emirates have reported significant incidents linked to this platform. The most targeted sectors include finance, HR, logistics, and sales, where employees are particularly vulnerable to BEC fraud.

By March 23, 2026, researchers identified over 1,000 domains associated with EvilTokens phishing pages. These pages utilized various lures, such as fake financial reports and shared documents from services like DocuSign, OneDrive, and SharePoint. The sheer volume of attacks indicates a well-coordinated effort by cybercriminals to exploit unsuspecting users.

How It Works

EvilTokens operates by hijacking the OAuth 2.0 Device Authorization Grant process, which is typically used for devices with limited input capabilities. In a standard scenario, a device generates a short code that users enter on a separate browser to authenticate. However, EvilTokens manipulates this flow by posing as the authenticating device, tricking victims into completing the sign-in on the attacker's behalf.

The attack begins when an attacker requests a device code from Microsoft's API. This code is then presented to the victim through a phishing page, leading them to believe they are simply verifying access to a shared document. Once the victim enters the code, the attacker receives valid access and refresh tokens, granting them immediate and lasting access to the account. The refresh token, lasting up to 90 days, allows attackers to maintain access without needing to re-authenticate.

What You Should Do

Organizations are advised to take proactive measures to protect against EvilTokens. Disabling device code authentication flows for users who do not require them is a crucial step. This can be achieved using Conditional Access policies in Microsoft Entra ID. Additionally, security teams should closely monitor sign-ins using the device code grant type, especially from unfamiliar locations.

Employee training on device authentication is vital, as the success of this attack relies heavily on victims' lack of awareness about what entering a device code authorizes. Implementing detection rules, such as the YARA rule released by Sekoia, can help identify EvilTokens phishing pages. Regularly querying resources like urlscan.io and urlquery with known EvilTokens URL patterns can aid in uncovering related infrastructure. By staying vigilant and informed, organizations can better defend against this emerging threat.