Skip to content
  • Home
  • Cyber Map
  • About Us – Contact
  • Disclaimer
  • Terms and Rules
  • Privacy Policy
Cyber Web Spider Blog – News

Cyber Web Spider Blog – News

Globe Threat Map provides a real-time, interactive 3D visualization of global cyber threats. Monitor DDoS attacks, malware, and hacking attempts with geo-located arcs on a rotating globe. Stay informed with live logs and archive stats.

  • Home
  • Cyber Map
  • Cyber Security News
  • Security Week News
  • The Hacker News
  • How To?
  • Toggle search form
EvilTokens: A New Phishing Threat Targeting Microsoft Accounts

EvilTokens: A New Phishing Threat Targeting Microsoft Accounts

Posted on March 31, 2026 By CWS

A newly developed phishing toolkit has surfaced, raising concerns in the cybersecurity community. In early 2026, EvilTokens, a Phishing-as-a-Service (PhaaS) platform, began making waves in cybercriminal circles by offering an advanced kit designed to compromise Microsoft 365 accounts.

Unlike typical phishing tools that replicate Microsoft login interfaces, EvilTokens employs a different tactic by exploiting the genuine Microsoft device code authentication flow, covertly granting attackers complete account access.

Emergence and Adoption of EvilTokens

Introduced to the cybercrime landscape in February 2026, EvilTokens quickly gained traction among cybercriminals specializing in Business Email Compromise (BEC) and Adversary-in-the-Middle (AitM) attacks.

The platform operates using Telegram bots and provides its affiliates with phishing templates, tools for email collection, account exploration capabilities, a built-in webmail interface, and AI-driven automation. The creator, known as eviltokensadmin, has announced plans to extend support to Gmail and Okta phishing pages soon.

Research and Implications

Sekoia’s Threat Detection and Research (TDR) team identified EvilTokens in March 2026 while observing phishing-focused cybercrime forums. Their analysis confirmed that EvilTokens is the first PhaaS offering ready-to-use Microsoft device code phishing pages, likely generated using AI technology.

Attacks attributed to EvilTokens have impacted organizations across the globe, notably in the United States, Australia, Canada, France, India, Switzerland, and the United Arab Emirates. The attacks typically target employees in finance, HR, logistics, and sales, roles particularly susceptible to BEC scams.

Mechanics of Account Compromise

The core strategy of EvilTokens revolves around manipulating Microsoft’s OAuth 2.0 Device Authorization Grant, a legitimate protocol intended for devices with limited input options, such as smart TVs.

In a typical scenario, a device shows a code to be entered in a browser for authentication. EvilTokens hijacks this process by posing as the device and deceiving victims into completing the authentication on the attacker’s behalf.

When victims input the code, believing they are accessing shared documents or invoices, they inadvertently provide attackers with an access token and a refresh token, facilitating prolonged account access.

To counter such threats, organizations should disable device code authentication flows for unnecessary users through Conditional Access policies in Microsoft Entra ID. Security teams are advised to monitor sign-ins using this grant type, particularly from unknown locations.

Employee education on device authentication is critical, as the attack succeeds when victims misunderstand the implications of entering a device code. Sekoia has released a YARA rule to detect EvilTokens phishing pages, and tools like urlscan.io and urlquery can help identify associated infrastructure.

Cyber Security News Tags:AI-generated, AiTM, BEC, cyber threat, Cybercrime, Cybersecurity, device code, email compromise, EvilTokens, Microsoft, OAuth 2.0, PhaaS, Phishing, Security, Sekoia

Post navigation

Previous Post: Censys Secures $70M to Boost Internet Intelligence
Next Post: Exploitation of TrueConf Flaw Targets Southeast Asian Governments

Related Posts

25 Controls, Mapped And Audit-Ready 25 Controls, Mapped And Audit-Ready Cyber Security News
Gcore Mitigates Record-Breaking 6 Tbps DDoS Attack Gcore Mitigates Record-Breaking 6 Tbps DDoS Attack Cyber Security News
Top 10 Best Web Application Penetration Testing Companies in 2025 Top 10 Best Web Application Penetration Testing Companies in 2025 Cyber Security News
UAT-7290 Hackers Attacking Critical Infrastructure Entities in South Asia UAT-7290 Hackers Attacking Critical Infrastructure Entities in South Asia Cyber Security News
29.7 Tbps DDoS Attack Via Aisuru botnet Breaks Internet With New World Record 29.7 Tbps DDoS Attack Via Aisuru botnet Breaks Internet With New World Record Cyber Security News
AI-Powered Phishing and QR Code Threats Rise in 2025 AI-Powered Phishing and QR Code Threats Rise in 2025 Cyber Security News

Categories

  • Cyber Security News
  • How To?
  • Security Week News
  • The Hacker News

Recent Posts

  • Severe Bugs in AI Code Editor Risk System Intrusion
  • India Suspends WhatsApp Usernames Over Security Issues
  • Adobe Tackles Major Security Flaws in ColdFusion and Campaign
  • Critical RCE Vulnerabilities Found in Cursor IDE
  • Ousaban Trojan Targets Iberian Banks with PDF Traps

Pages

  • About Us – Contact
  • Disclaimer
  • Privacy Policy
  • Terms and Rules

Archives

  • July 2026
  • June 2026
  • May 2026
  • April 2026
  • March 2026
  • February 2026
  • January 2026
  • December 2025
  • November 2025
  • October 2025
  • September 2025
  • August 2025
  • July 2025
  • June 2025
  • May 2025

Recent Posts

  • Severe Bugs in AI Code Editor Risk System Intrusion
  • India Suspends WhatsApp Usernames Over Security Issues
  • Adobe Tackles Major Security Flaws in ColdFusion and Campaign
  • Critical RCE Vulnerabilities Found in Cursor IDE
  • Ousaban Trojan Targets Iberian Banks with PDF Traps

Pages

  • About Us – Contact
  • Disclaimer
  • Privacy Policy
  • Terms and Rules

Categories

  • Cyber Security News
  • How To?
  • Security Week News
  • The Hacker News

Copyright © 2026 Cyber Web Spider Blog – News.

Powered by PressBook Masonry Dark