Skip to content
Malware family Cloud

EvilTokens

EvilTokens is a phishing-as-a-service platform built to compromise Microsoft 365 accounts by abusing the OAuth 2.0 Device Authorization Grant flow.

Profile source: Mallory opens in a new tab

EvilTokens

Family profile

EvilTokens is a phishing-as-a-service platform built to compromise Microsoft 365 accounts by abusing the OAuth 2.0 Device Authorization Grant flow. Rather than harvesting passwords through counterfeit login pages, it tricks victims into entering an attacker-generated Microsoft device code on Microsoft’s legitimate device login page and completing normal authentication, including multi-factor authentication. This causes Microsoft to issue access and refresh tokens to the attacker-controlled session, enabling account takeover without direct credential theft.

The platform is associated with large-scale device code phishing activity observed since at least early 2026 and has been linked to account takeover, session hijacking, data theft, and business email compromise operations. Campaigns have used lures themed as invoices, shared documents, calendar invites, SharePoint access requests, voicemail notices, password expiry warnings, and document-signature workflows, often targeting finance, human resources, logistics, sales, and accounts-payable personnel. Delivery has been observed through phishing emails and malicious document attachments, and the service has been advertised and distributed via Telegram.

EvilTokens provides turnkey phishing templates and backend automation for device-code handling, token polling, token refresh, and post-compromise operations. Reported capabilities include generation and management of stolen Microsoft 365 tokens, conversion of harvested authentication material into longer-lived persistence through Primary Refresh Token workflows, browser single sign-on cookie generation, Outlook Web Access session generation, Microsoft Graph and Azure reconnaissance, and Telegram-based operator notifications. The ecosystem has also been tied to AI-assisted lure generation and business email compromise workflows, lowering the barrier to entry for affiliates.

The platform primarily targets Microsoft 365 and Microsoft Entra ID environments and enables access to victim email, files, Teams, SharePoint, and OneDrive resources. It has been used globally across multiple sectors and geographies, and related affiliate infrastructure such as ARToken has shown strong technical overlap with EvilTokens, including shared API patterns, deployment models, and post-compromise tradecraft. EvilTokens is notable for industrializing device code phishing at scale while reducing many traditional phishing indicators, since victims authenticate on legitimate Microsoft infrastructure rather than a fake sign-in page.

Capabilities

  • Exfiltration
  • Extortion
  • Persistence
  • Reconnaissance
  • Session Hijacking
  • Spoofing

Observed infrastructure

Last seven days

First activity
Jul 12, 2026
Last activity
Jul 18, 2026
Feed role
Distribution
Host form
0 IP / 76 hostnames

Leading locations

  • US66
  • DE1
  • NL1

Leading providers

  • Cloudflare, Inc.63
  • Fastly, Inc.2
  • FREAKHOSTING LTD1
  • Omegatech LTD1
  • SINO WORLDWIDE TRADING LIMITED1

Infrastructure traits

  • Hosting 68
  • Anycast 65
  • Proxy 12
  • Vpn 1

MITRE ATT&CK

EvilTokens in ATT&CK

39 distinct techniques

Reporting

Research mentioning EvilTokens

Jul 14
ReliaQuest

Threat Spotlight: The Jalisco Toolkit and AI-Powered Phishing Surge

Jalisco is a device code phishing toolkit that provisions fresh OAuth codes in real time, defeating the time-based controls defenders rely on and pairing naturally with AI-powered kits like “EvilTokens.”

Jul 13
The Hacker News

Forg365 PhaaS Targets Microsoft 365 with Device Code and AitM Session Theft

Using a legacy email alias to target a user's inbox and launch a device code phishing flow that uses the EvilTokens kit.

Jul 8
Cyberveille

ARToken : plateforme PhaaS affiliée à EvilTokens ciblant Microsoft 365 via device code phishing | CyberVeille

ARToken, une plateforme de Phishing-as-a-Service (PhaaS) présentant de fortes similarités techniques avec EvilTokens... ARToken opère comme affilié d’EvilTokens.

Jul 3
Cyberveille

ARToken : analyse d'un panel affilié PhaaS ciblant Microsoft 365 via device code phishing | CyberVeille

Ce panel partage infrastructure, contrats API et patterns opérationnels avec la plateforme EvilTokens, documentée par Sekoia et Microsoft début 2026.

Jul 2
Cyber Security News

Microsoft 365 Phishing Panel Uses OAuth Device Code Flow to Capture Tokens and Persist Access

The panel shares infrastructure, coding patterns, and identical backend commands with EvilTokens, a phishing as a service platform documented earlier this year by researchers at Sekoia and later confirmed by Microsoft as a large scale threat.

Jul 1
Decipher Sc

Evils Is as Evil Does: New EvilTokens Affiliate Panel Uncovered - Decipher

This new operator panel has a clear lineage going back to the EvilTokens framework, which emerged in early 2026 and has the ability to bypass MFA by manipulating the OAuth 2.0 Device Authorization Grant.

Jul 1
Help Net Security

The ARToken phishing panel targets Microsoft 365 accounts - Help Net Security

Cisco Talos has tied [the phishing operation] to EvilTokens, a subscription service that spread across hundreds of Cloudflare Workers domains earlier this year... During an incident response engagement, Talos traced the infrastructure to a management panel titled “ARToken Panel.”

Jul 1
Register Security

EvilTokens device-code phishing kit totally more evil than we all thought

EvilTokens, the device-code phishing kit that can allow criminals to bypass multi-factor authentication (MFA) and silently authenticate as the victim to the organization's Microsoft 365 applications, appears to be even more insidious than we all thought.

We appreciate you

Derp wouldn't exist without the work these projects do for the security community. We rely on their data sources to improve the quality and depth of what we publish. Thank you, we're genuinely grateful.