EvilTokens: A New Phishing Threat Targeting Microsoft Accounts

A newly developed phishing toolkit has surfaced, raising concerns in the cybersecurity community. In early 2026, EvilTokens, a Phishing-as-a-Service (PhaaS) platform, began making waves in cybercriminal circles by offering an advanced kit designed to compromise Microsoft 365 accounts.

Unlike typical phishing tools that replicate Microsoft login interfaces, EvilTokens employs a different tactic by exploiting the genuine Microsoft device code authentication flow, covertly granting attackers complete account access.

Emergence and Adoption of EvilTokens

Introduced to the cybercrime landscape in February 2026, EvilTokens quickly gained traction among cybercriminals specializing in Business Email Compromise (BEC) and Adversary-in-the-Middle (AitM) attacks.

The platform operates using Telegram bots and provides its affiliates with phishing templates, tools for email collection, account exploration capabilities, a built-in webmail interface, and AI-driven automation. The creator, known as eviltokensadmin, has announced plans to extend support to Gmail and Okta phishing pages soon.

Research and Implications

Sekoia’s Threat Detection and Research (TDR) team identified EvilTokens in March 2026 while observing phishing-focused cybercrime forums. Their analysis confirmed that EvilTokens is the first PhaaS offering ready-to-use Microsoft device code phishing pages, likely generated using AI technology.

Attacks attributed to EvilTokens have impacted organizations across the globe, notably in the United States, Australia, Canada, France, India, Switzerland, and the United Arab Emirates. The attacks typically target employees in finance, HR, logistics, and sales, roles particularly susceptible to BEC scams.

Mechanics of Account Compromise

The core strategy of EvilTokens revolves around manipulating Microsoft’s OAuth 2.0 Device Authorization Grant, a legitimate protocol intended for devices with limited input options, such as smart TVs.

In a typical scenario, a device shows a code to be entered in a browser for authentication. EvilTokens hijacks this process by posing as the device and deceiving victims into completing the authentication on the attacker’s behalf.

When victims input the code, believing they are accessing shared documents or invoices, they inadvertently provide attackers with an access token and a refresh token, facilitating prolonged account access.

To counter such threats, organizations should disable device code authentication flows for unnecessary users through Conditional Access policies in Microsoft Entra ID. Security teams are advised to monitor sign-ins using this grant type, particularly from unknown locations.

Employee education on device authentication is critical, as the attack succeeds when victims misunderstand the implications of entering a device code. Sekoia has released a YARA rule to detect EvilTokens phishing pages, and tools like urlscan.io and urlquery can help identify associated infrastructure.