EvilTokens: The New Phishing-as-a-Service Threat Targeting Microsoft 365 Accounts
In early 2026, a new and sophisticated phishing toolkit named EvilTokens emerged within underground cybercrime communities, offering cybercriminals a streamlined method to hijack Microsoft 365 accounts. Unlike traditional phishing tools that replicate Microsoft login pages, EvilTokens exploits the legitimate Microsoft device code authentication flow, granting attackers full access to user accounts without raising immediate suspicion.
Emergence and Adoption
First identified in mid-February 2026, EvilTokens rapidly gained traction among cybercriminals specializing in Business Email Compromise (BEC) and Adversary-in-the-Middle (AitM) attacks. The platform operates through Telegram bots, providing affiliates with a comprehensive suite of tools, including phishing page templates, email harvesting utilities, account reconnaissance features, a built-in webmail interface, and AI-driven automation. The platform’s operator, known as eviltokensadmin, has announced plans to expand support to Gmail and Okta phishing pages in the near future.
Researchers at Sekoia’s Threat Detection and Research (TDR) team discovered EvilTokens in March 2026 while monitoring phishing-focused cybercrime forums. Upon analyzing the platform’s backend code, TDR analysts confirmed that EvilTokens is the first Phishing-as-a-Service (PhaaS) known to offer turnkey Microsoft device code phishing pages. They also assessed with high confidence that the kit’s code was likely generated using artificial intelligence.
Global Impact
EvilTokens has facilitated phishing campaigns affecting organizations across North America, South America, Europe, the Middle East, Asia, and Oceania. The most impacted countries include the United States, Australia, Canada, France, India, Switzerland, and the United Arab Emirates. Affiliates have primarily targeted employees in finance, human resources, logistics, and sales—roles particularly susceptible to BEC fraud. By March 23, 2026, researchers had identified over 1,000 domains hosting EvilTokens phishing pages, utilizing diverse lures such as fake financial reports, meeting invitations, payroll notices, and shared cloud documents from services like DocuSign, OneDrive, and SharePoint.
Mechanism of Attack
EvilTokens exploits Microsoft’s OAuth 2.0 Device Authorization Grant, a legitimate flow designed for devices with limited input capabilities, such as smart TVs or printers. Typically, a device displays a short code that the user enters on a separate browser to authenticate. EvilTokens hijacks this flow by acting as the authenticating device and deceiving victims into completing the sign-in process on the attacker’s behalf.
The attack initiates when the attacker sends a request to Microsoft’s API to generate a fresh device code. This code is then presented to the victim through a phishing page or attachment. Believing they are verifying access to a shared document or invoice, the victim visits the legitimate Microsoft login page and enters the code. Upon completion, the attacker’s system receives a valid access token and a refresh token, granting immediate and prolonged access to the account.
The access token allows attackers up to 90 minutes to read emails, retrieve files from OneDrive and SharePoint, and view Teams conversations. The refresh token poses a greater threat—it lasts 90 days and renews itself each time it is used, enabling attackers to maintain silent access without triggering new login prompts. In advanced scenarios, EvilTokens converts these tokens into a Primary Refresh Token (PRT), facilitating silent sign-on across all Microsoft 365 applications without user interaction.
Mitigation Strategies
To defend against the sophisticated tactics employed by EvilTokens, organizations should implement the following measures:
1. Phishing-Resistant Multi-Factor Authentication (MFA): Adopt hardware security keys or biometric authentication methods that are resistant to phishing attempts.
2. User Education: Conduct regular training sessions to educate employees about the risks of phishing attacks and the importance of verifying authentication requests.
3. Behavioral Detection Controls: Deploy security solutions capable of identifying and alerting on unusual authentication patterns or the use of device codes.
4. Regular Security Audits: Perform periodic reviews of authentication logs and access patterns to detect and respond to unauthorized access promptly.
By implementing these strategies, organizations can enhance their defenses against the evolving threats posed by phishing-as-a-service platforms like EvilTokens.
