EvilTokens - New Phishing-as-a-Service Targets Microsoft Accounts with Advanced Features
.webp)
EvilTokens is like a sneaky trick that bad guys use to steal your Microsoft account. They make you think you're just logging in to see a document, but they're actually stealing your access. It's important to be careful and know what you're clicking on!
EvilTokens is a new phishing-as-a-service platform that exploits Microsoft device code authentication to facilitate account takeovers. Researchers warn of its advanced capabilities and global reach.
A new and dangerous phishing toolkit has emerged in the cybercrime landscape. In early 2026, a Phishing-as-a-Service (PhaaS) platform called EvilTokens began circulating in underground cybercrime communities, offering criminals a ready-to-use kit designed to steal Microsoft 365 accounts. Unlike most phishing tools that mimic Microsoft login pages, EvilTokens takes a different approach — it abuses the legitimate Microsoft device code authentication flow to quietly hand over full account access to attackers.
EvilTokens first appeared in mid-February 2026 and was quickly adopted by cybercriminals focused on Business Email Compromise (BEC) and Adversary-in-the-Middle (AitM) attacks. The platform operates through Telegram bots and equips affiliates with phishing page templates, email harvesting tools, account reconnaissance features, a built-in webmail interface, and AI-powered automation. The operator, known as eviltokensadmin, has announced plans to expand support to Gmail and Okta phishing pages in the near future.
Researchers at Sekoia’s Threat Detection and Research (TDR) team identified EvilTokens in March 2026 while monitoring phishing-focused cybercrime communities. After analyzing the platform’s backend code, TDR analysts confirmed that EvilTokens is the first PhaaS known to offer turnkey Microsoft device code phishing pages, and assessed with high confidence that the kit’s code was likely AI-generated. Campaigns linked to EvilTokens have affected organizations across North America, South America, Europe, the Middle East, Asia, and Oceania, with the most impacted countries including the United States, Australia, Canada, France, India, Switzerland, and the United Arab Emirates.
Affiliates primarily target employees in finance, HR, logistics, and sales — roles that are particularly vulnerable to BEC fraud. By March 23, 2026, researchers tracked over 1,000 domains hosting EvilTokens phishing pages, utilizing diverse lures such as fake financial reports, meeting invites, payroll notices, and shared cloud documents from DocuSign, OneDrive, and SharePoint.
The core of EvilTokens is the abuse of Microsoft’s OAuth 2.0 Device Authorization Grant, a legitimate flow designed for devices with limited input capabilities, such as smart TVs or printers. Normally, a device displays a short code that the user enters on a separate browser to authenticate. EvilTokens hijacks this flow by acting as the authenticating device and tricking victims into completing the sign-in on the attacker’s behalf.
The attack begins when the attacker sends a request to Microsoft’s API to generate a fresh device code. This code is passed to the victim through a phishing page or attachment. The victim, believing they are simply verifying access to a shared document or invoice, visits the real Microsoft login page and enters the code. Once they complete the sign-in, the attacker’s system receives a valid access token and a refresh token, granting immediate and long-lasting access to the account.
The access token allows attackers up to 90 minutes to read emails, pull files from OneDrive and SharePoint, and view Teams conversations. The refresh token is far more dangerous — it lasts 90 days and renews itself each time it is used, letting attackers maintain silent access without any new login prompt. In advanced cases, EvilTokens converts these tokens into a Primary Refresh Token (PRT), enabling silent sign-on across all Microsoft 365 applications without requiring a password or MFA.
Phishing pages impersonate services like Adobe Acrobat Sign, DocuSign, and SharePoint, serving encrypted content via AES-GCM decryption to evade security tools. Sekoia researchers have observed that EvilTokens also provides advanced features for conducting BEC attacks through automation, indicating its scalability among threat actors. Organizations are advised to disable device code authentication flows for users who do not need them using Conditional Access policies in Microsoft Entra ID. Security teams should monitor sign-ins using the device code grant type, especially from unknown locations. Employee training on device authentication is essential, as this attack succeeds only when victims are unaware of what entering a device code actually authorizes. Defenders can apply the YARA rule released by Sekoia to detect EvilTokens phishing pages and query urlscan.io and urlquery with known EvilTokens URL patterns to identify related infrastructure.