Security & Infrastructure Tools
New EvilTokens Service Fuels Microsoft Device Code Phishing Attacks
New malicious kit “EvilTokens” offers a phishing‑as‑a‑service that hijacks Microsoft accounts through device code phishing, enabling attackers to obtain short‑lived and refresh tokens for access to email, files, Teams, and SSO impersonation. The kit is sold via Telegram, continually expanded to support Gmail and Okta, and targets business roles with tailored documents and QR codes. Researchers at Sekoia identified widespread global campaigns, providing indicators of compromise, YARA rules, and technical details to help defenders block the attacks.
New EvilTokens Service Fuels Microsoft Device Code Phishing Attacks
A recently uncovered malicious toolkit named EvilTokens is expanding the toolkit of threat actors by adding device code phishing capabilities to its repertoire. Marketed as a phishing-as-a-service option, EvilTokens is sold through messaging platforms and is described by its operators as a continuously evolving project. Early chatter indicates a plan to broaden support to additional landing pages for Gmail and Okta, signaling an ambition to widen the ecosystem of trusted-service impersonations beyond Microsoft alone.
At its core, EvilTokens exploits the OAuth 2.0 device authorization flow, a mechanism designed for devices with limited input capabilities. In a typical device code phishing scenario, an attacker entices a target to authorize a malicious device, effectively granting the attacker access to the victim’s account. What makes EvilTokens notable is its integration of phishing templates and workflow automation that aim to streamline this process and sustain access over time. The approach is not brand-new in the security landscape—numerous actors have used device code phishing in the past—but the new kit elevates the scale and speed at which these campaigns can be launched and managed.
Operationally, researchers have observed EvilTokens in action through emails that arrive with attachments or links to phishing templates. These payloads masquerade as credible business documents or communications—think PDFs, HTML files, Word or Excel documents, and even vector graphics—accompanied by QR codes or hyperlinks. The lure often resembles legitimate corporate content such as financial statements, meeting invitations, purchase orders, payroll notices, or shared documents from mainstream services like DocuSign or SharePoint. The objective is to entice the recipient to click through to a phishing page that imitates a trusted service, such as an authentic-looking login flow for Microsoft.
Once the victim engages, the phishing page presents a prompt for a verification code and instructions that guide the user toward an “identity verification” step. The crucial moment comes when the page nudges the user to click a button that ostensibly continues to Microsoft. This redirection is part of the attacker’s plan to leverage a real Microsoft authentication endpoint. The attacker then uses a legitimate Microsoft client to request a device code, while the victim is unwittingly authenticating to the real Microsoft URL from the threat actor. In this sequence, the attacker secures a short-lived access token and a refresh token, enabling rapid and persistent access to a wide array of services tied to the victim’s account, including email, files, Teams data, and the ability to impersonate across Microsoft services through Single Sign-On.
The breadth of this technique is underscored by threat intelligence research that maps EvilTokens to a global footprint. Campaigns have been observed across multiple regions, with the United States, Canada, France, Australia, India, Switzerland, and the United Arab Emirates cited as among the most affected. The variety and volume of campaigns point to a broader adoption of EvilTokens among operators who pursue phishing and business email compromise (BEC) activities. In addition to the immediate theft of credentials, the toolkit appears to offer automation features intended to streamline BEC operations, suggesting that these campaigns can scale beyond isolated incidents into ongoing, repeated abuses.
Security researchers have also highlighted the breadth of EvilTokens’ phishing templates. The platform provides a range of ready-to-use designs that imitate common business documents and workflows. The phishing pages frequently impersonate well-known services, not only at the surface level but in the flow of the user experience—the page displays a verification code and directions to complete identity checks, while the underlying objective is to harvest tokens and enable persistent access. The end result for attackers is the acquisition of tokens that grant immediate access to victim services and the potential for continued exploitation through compromised sessions and sso impersonation across connected Microsoft ecosystems.
Experts note that EvilTokens is more than a simple phishing page; it is a fully developed attack surface that encompasses phishing templates, a workflow to harvest device codes, and automation tools designed to facilitate business email compromise. The breadth and sophistication suggest that operators are moving toward a more scalable model, enabling multiple campaigns to run in parallel and reach a wide audience of potential targets. This is consistent with broader trends in phishing-as-a-service, where the emphasis shifts from single campaigns to sustainable, multi-actor ecosystems capable of rapid deployment and long-term persistence.
Threat intelligence outfits have begun cataloging the infrastructure and campaigns associated with EvilTokens, sharing indicators of compromise, technical details, and defensive tooling such as YARA rules to help defenders detect and block EvilTokens-based activity. The emphasis is on mapping the threat landscape and equipping security teams with the means to recognize the telltale signs of these device code phishing efforts, from the presence of specific phishing templates to the sequences that lead a victim from a deceptive document to a legitimate-looking Microsoft login experience.
In parallel with the spread of EvilTokens, researchers reiterate a central point about device code phishing: it exploits trusted authentication channels and legitimate services. When done at scale, it can undermine an organization’s security posture by providing attackers with tokens that unlock a broad spectrum of resources. The implication is clear for security teams operating in environments that rely on cloud-based productivity suites: even familiar interfaces and trusted providers can become vectors for credential theft and token leakage when presented through convincing phishing artifacts.
The emergence of EvilTokens as a capable, scalable PhaaS option underscores the need for ongoing vigilance around OAuth flows and trusted device authorization processes. As attackers continue to refine their playbooks, the defense landscape must adapt to recognize the patterns of phishing that blend credible document framing, authentic service impersonation, and the coercive prompts that push victims toward unintended credential exposure. In this evolving threat space, the line between legitimate service usage and fraudulent redirection can blur quickly, making awareness and rapid incident response essential components of any organization’s security strategy.
