In March 2026, two significant phishing campaigns, EvilTokens and AMOS, emerged, posing a substantial threat to enterprises and macOS users. These campaigns exploit advanced techniques, with EvilTokens targeting enterprise accounts via Microsoft’s OAuth authentication, while AMOS focuses on macOS users engaged in AI development.
EvilTokens Campaign: Bypassing Traditional Protections
The EvilTokens campaign marks a shift in phishing strategies by circumventing the need for password theft. Attackers exploit Microsoft’s OAuth 2.0 Device Code flow, originally intended for devices with limited input capabilities, to gain unauthorized access to enterprise accounts. This method leverages legitimate Microsoft infrastructure to deceive users into granting access.
Victims receive phishing emails directing them to enter a device code at Microsoft’s legitimate site, leading to attackers obtaining OAuth tokens despite multi-factor authentication (MFA). This technique renders traditional phishing detection ineffective as credentials are never entered on fake sites.
EvilTokens operates as a Phishing-as-a-Service (PhaaS) platform, facilitating widespread attacks across various sectors in the United States and India. With over 180 phishing URLs detected in a week, the campaign’s automation and AI capabilities enable rapid execution and significant impact.
AMOS Campaign: Targeting macOS Developers
Simultaneously, the AMOS campaign targets macOS users, particularly developers using AI tools. Attackers deploy a ClickFix attack chain, misleading users through Google Ads to run malicious terminal commands from fake documentation pages. This sophisticated social engineering tactic leads to the execution of an encoded script, resulting in credential theft.
The AMOS Stealer extracts browser credentials, saved passwords, and macOS Keychain contents, establishing a persistent backdoor with full system access. This poses a grave risk to enterprises as developers often manage sensitive data and infrastructure.
The evolution of the backdoor module, previously limited, now supports an interactive reverse shell, granting attackers extended access. This highlights the increasing complexity and danger of such attacks.
Mitigation and Future Outlook
Organizations must enhance their security measures to counter these threats. For EvilTokens, auditing Microsoft Entra ID logs for unusual device code flows and implementing Conditional Access policies is crucial. Regular token rotation for privileged accounts can also mitigate risks.
For the AMOS threat, policies to block unsigned script execution and monitoring for suspicious WebSocket connections are essential. Deploying endpoint detection systems tuned to identify AMOS behaviors can prevent further infiltration.
These campaigns underscore a broader trend where attackers harness legitimate infrastructure and workflows, such as Microsoft pages and Google Ads, to evade detection. Strengthening cross-platform threat visibility is imperative for reducing breach risks and ensuring rapid response to emerging threats.
