A sophisticated phishing-as-a-service (PhaaS) platform known as EvilTokens has been actively compromising Microsoft 365 accounts across financial institutions in the United States and Europe. This platform leverages the OAuth 2.0 device authorization grant flow to bypass traditional security measures, including multi-factor authentication (MFA), without directly capturing user credentials.
Unlike conventional phishing attacks that rely on counterfeit login pages to steal passwords, EvilTokens exploits legitimate Microsoft authentication processes. Victims receive messages prompting them to enter a device code at Microsoft’s official device login page. Unaware of the malicious intent, users complete the authentication process, including MFA verification, thereby granting attackers access tokens to their accounts. This method effectively renders MFA ineffective, as the authentication is performed on genuine Microsoft infrastructure, but the resulting tokens are issued to the attacker’s session.
Security researchers have observed a significant increase in device code phishing attacks attributed to EvilTokens. Between January and April 2026, there was a 1,380% rise in such incidents compared to the latter half of 2025. This surge is largely due to the integration of artificial intelligence (AI) into the phishing campaigns, enabling the creation of highly personalized lures at scale. Previously, such targeted attacks required manual effort, but AI automation has made them more efficient and widespread.
The EvilTokens service is marketed on platforms like Telegram, offering subscription tiers ranging from $600 to $1,500. Despite the relatively low cost, the potential returns for cybercriminals are substantial, as a single successful attack can yield access to sensitive data, financial information, and internal communications. The service’s ability to bypass MFA and operate through legitimate authentication channels makes it particularly dangerous.
Financial institutions are prime targets for EvilTokens due to the high value of the data and assets they manage. The platform’s use of AI to craft convincing phishing messages increases the likelihood of user engagement, leading to unauthorized access to corporate accounts. This trend underscores the evolving nature of cyber threats, where attackers adopt advanced technologies and legitimate processes to achieve their objectives.
To mitigate the risks posed by EvilTokens and similar threats, organizations should implement comprehensive security measures. These include continuous monitoring of authentication processes, educating employees about the dangers of unsolicited authentication requests, and deploying advanced threat detection systems capable of identifying and responding to anomalous activities. Additionally, organizations should regularly review and update their security protocols to address emerging attack vectors.
The emergence of EvilTokens highlights the need for a proactive and adaptive approach to cybersecurity. As cybercriminals continue to innovate and exploit legitimate systems, organizations must stay ahead by adopting advanced security technologies and fostering a culture of vigilance among their employees. The integration of AI into phishing campaigns signifies a shift in the cyber threat landscape, necessitating a corresponding evolution in defense strategies.
