Skip to content
  • Home
  • Cyber Map
  • About Us – Contact
  • Disclaimer
  • Terms and Rules
  • Privacy Policy
Cyber Web Spider Blog – News

Cyber Web Spider Blog – News

Globe Threat Map provides a real-time, interactive 3D visualization of global cyber threats. Monitor DDoS attacks, malware, and hacking attempts with geo-located arcs on a rotating globe. Stay informed with live logs and archive stats.

  • Home
  • Cyber Map
  • Cyber Security News
  • Security Week News
  • The Hacker News
  • How To?
  • Toggle search form
EvilTokens: A New Phishing Threat Targeting Microsoft Accounts

EvilTokens: A New Phishing Threat Targeting Microsoft Accounts

Posted on March 31, 2026 By CWS

A newly developed phishing toolkit has surfaced, raising concerns in the cybersecurity community. In early 2026, EvilTokens, a Phishing-as-a-Service (PhaaS) platform, began making waves in cybercriminal circles by offering an advanced kit designed to compromise Microsoft 365 accounts.

Unlike typical phishing tools that replicate Microsoft login interfaces, EvilTokens employs a different tactic by exploiting the genuine Microsoft device code authentication flow, covertly granting attackers complete account access.

Emergence and Adoption of EvilTokens

Introduced to the cybercrime landscape in February 2026, EvilTokens quickly gained traction among cybercriminals specializing in Business Email Compromise (BEC) and Adversary-in-the-Middle (AitM) attacks.

The platform operates using Telegram bots and provides its affiliates with phishing templates, tools for email collection, account exploration capabilities, a built-in webmail interface, and AI-driven automation. The creator, known as eviltokensadmin, has announced plans to extend support to Gmail and Okta phishing pages soon.

Research and Implications

Sekoia’s Threat Detection and Research (TDR) team identified EvilTokens in March 2026 while observing phishing-focused cybercrime forums. Their analysis confirmed that EvilTokens is the first PhaaS offering ready-to-use Microsoft device code phishing pages, likely generated using AI technology.

Attacks attributed to EvilTokens have impacted organizations across the globe, notably in the United States, Australia, Canada, France, India, Switzerland, and the United Arab Emirates. The attacks typically target employees in finance, HR, logistics, and sales, roles particularly susceptible to BEC scams.

Mechanics of Account Compromise

The core strategy of EvilTokens revolves around manipulating Microsoft’s OAuth 2.0 Device Authorization Grant, a legitimate protocol intended for devices with limited input options, such as smart TVs.

In a typical scenario, a device shows a code to be entered in a browser for authentication. EvilTokens hijacks this process by posing as the device and deceiving victims into completing the authentication on the attacker’s behalf.

When victims input the code, believing they are accessing shared documents or invoices, they inadvertently provide attackers with an access token and a refresh token, facilitating prolonged account access.

To counter such threats, organizations should disable device code authentication flows for unnecessary users through Conditional Access policies in Microsoft Entra ID. Security teams are advised to monitor sign-ins using this grant type, particularly from unknown locations.

Employee education on device authentication is critical, as the attack succeeds when victims misunderstand the implications of entering a device code. Sekoia has released a YARA rule to detect EvilTokens phishing pages, and tools like urlscan.io and urlquery can help identify associated infrastructure.

Cyber Security News Tags:AI-generated, AiTM, BEC, cyber threat, Cybercrime, Cybersecurity, device code, email compromise, EvilTokens, Microsoft, OAuth 2.0, PhaaS, Phishing, Security, Sekoia

Post navigation

Previous Post: Censys Secures $70M to Boost Internet Intelligence
Next Post: Exploitation of TrueConf Flaw Targets Southeast Asian Governments

Related Posts

Hackers Abusing GitHub Notifications to Deliver Phishing Emails Hackers Abusing GitHub Notifications to Deliver Phishing Emails Cyber Security News
OpenAnt: AI Tool for Detecting Software Vulnerabilities OpenAnt: AI Tool for Detecting Software Vulnerabilities Cyber Security News
Hackers Hijacked 18 Very Popular npm Packages With 2 Billion Weekly Downloads Hackers Hijacked 18 Very Popular npm Packages With 2 Billion Weekly Downloads Cyber Security News
Global Spyware Markets to Identify New Entities Entering The Market Global Spyware Markets to Identify New Entities Entering The Market Cyber Security News
Sandworm Hackers Shift Focus to Critical Infrastructure Sandworm Hackers Shift Focus to Critical Infrastructure Cyber Security News
A New Tool that Automates GitHub Device Code Phishing Attack A New Tool that Automates GitHub Device Code Phishing Attack Cyber Security News

Categories

  • Cyber Security News
  • How To?
  • Security Week News
  • The Hacker News

Recent Posts

  • Microsoft Enhances Teams Security to Block Unauthorized AI Bots
  • SEO-Poisoned Sites Exploit ScreenConnect for Malware
  • Enhancing Cybersecurity Intelligence with OpenCTI
  • Severe Bugs in AI Code Editor Risk System Intrusion
  • India Suspends WhatsApp Usernames Over Security Issues

Pages

  • About Us – Contact
  • Disclaimer
  • Privacy Policy
  • Terms and Rules

Archives

  • July 2026
  • June 2026
  • May 2026
  • April 2026
  • March 2026
  • February 2026
  • January 2026
  • December 2025
  • November 2025
  • October 2025
  • September 2025
  • August 2025
  • July 2025
  • June 2025
  • May 2025

Recent Posts

  • Microsoft Enhances Teams Security to Block Unauthorized AI Bots
  • SEO-Poisoned Sites Exploit ScreenConnect for Malware
  • Enhancing Cybersecurity Intelligence with OpenCTI
  • Severe Bugs in AI Code Editor Risk System Intrusion
  • India Suspends WhatsApp Usernames Over Security Issues

Pages

  • About Us – Contact
  • Disclaimer
  • Privacy Policy
  • Terms and Rules

Categories

  • Cyber Security News
  • How To?
  • Security Week News
  • The Hacker News

Copyright © 2026 Cyber Web Spider Blog – News.

Powered by PressBook Masonry Dark