Last seven days
- First activity
- Jul 12, 2026
- Last activity
- Jul 18, 2026
- Feed role
- Distribution
- Host form
- 0 IP / 76 hostnames
EvilTokens is a phishing-as-a-service platform built to compromise Microsoft 365 accounts by abusing the OAuth 2.0 Device Authorization Grant flow.
Profile source: Mallory opens in a new tabEvilTokens
EvilTokens is a phishing-as-a-service platform built to compromise Microsoft 365 accounts by abusing the OAuth 2.0 Device Authorization Grant flow. Rather than harvesting passwords through counterfeit login pages, it tricks victims into entering an attacker-generated Microsoft device code on Microsoft’s legitimate device login page and completing normal authentication, including multi-factor authentication. This causes Microsoft to issue access and refresh tokens to the attacker-controlled session, enabling account takeover without direct credential theft.
The platform is associated with large-scale device code phishing activity observed since at least early 2026 and has been linked to account takeover, session hijacking, data theft, and business email compromise operations. Campaigns have used lures themed as invoices, shared documents, calendar invites, SharePoint access requests, voicemail notices, password expiry warnings, and document-signature workflows, often targeting finance, human resources, logistics, sales, and accounts-payable personnel. Delivery has been observed through phishing emails and malicious document attachments, and the service has been advertised and distributed via Telegram.
EvilTokens provides turnkey phishing templates and backend automation for device-code handling, token polling, token refresh, and post-compromise operations. Reported capabilities include generation and management of stolen Microsoft 365 tokens, conversion of harvested authentication material into longer-lived persistence through Primary Refresh Token workflows, browser single sign-on cookie generation, Outlook Web Access session generation, Microsoft Graph and Azure reconnaissance, and Telegram-based operator notifications. The ecosystem has also been tied to AI-assisted lure generation and business email compromise workflows, lowering the barrier to entry for affiliates.
The platform primarily targets Microsoft 365 and Microsoft Entra ID environments and enables access to victim email, files, Teams, SharePoint, and OneDrive resources. It has been used globally across multiple sectors and geographies, and related affiliate infrastructure such as ARToken has shown strong technical overlap with EvilTokens, including shared API patterns, deployment models, and post-compromise tradecraft. EvilTokens is notable for industrializing device code phishing at scale while reducing many traditional phishing indicators, since victims authenticate on legitimate Microsoft infrastructure rather than a fake sign-in page.
MITRE ATT&CK
Reporting
Jalisco is a device code phishing toolkit that provisions fresh OAuth codes in real time, defeating the time-based controls defenders rely on and pairing naturally with AI-powered kits like “EvilTokens.”
Using a legacy email alias to target a user's inbox and launch a device code phishing flow that uses the EvilTokens kit.
ARToken, une plateforme de Phishing-as-a-Service (PhaaS) présentant de fortes similarités techniques avec EvilTokens... ARToken opère comme affilié d’EvilTokens.
Ce panel partage infrastructure, contrats API et patterns opérationnels avec la plateforme EvilTokens, documentée par Sekoia et Microsoft début 2026.
The panel shares infrastructure, coding patterns, and identical backend commands with EvilTokens, a phishing as a service platform documented earlier this year by researchers at Sekoia and later confirmed by Microsoft as a large scale threat.
This new operator panel has a clear lineage going back to the EvilTokens framework, which emerged in early 2026 and has the ability to bypass MFA by manipulating the OAuth 2.0 Device Authorization Grant.
Cisco Talos has tied [the phishing operation] to EvilTokens, a subscription service that spread across hundreds of Cloudflare Workers domains earlier this year... During an incident response engagement, Talos traced the infrastructure to a management panel titled “ARToken Panel.”
EvilTokens, the device-code phishing kit that can allow criminals to bypass multi-factor authentication (MFA) and silently authenticate as the victim to the organization's Microsoft 365 applications, appears to be even more insidious than we all thought.
Derp wouldn't exist without the work these projects do for the security community. We rely on their data sources to improve the quality and depth of what we publish. Thank you, we're genuinely grateful.