Light bulb Limited Spots Available: Secure Your Lifetime Subscription on Gumroad!

Apr 02, 2026 · 6 min read

A New Phishing Service Just Gave Anyone the Tools to Hijack Microsoft 365 Accounts—340 Organizations Hit So Far

EvilTokens abuses OAuth device code flows to steal Microsoft 365 tokens, bypassing MFA entirely. The kit is sold on Telegram and has already compromised organizations across seven countries.

A computer screen showing a suspicious login prompt with a device code verification page

What Is EvilTokens

EvilTokens is a phishing as a service (PhaaS) platform that automates OAuth 2.0 device code phishing attacks against Microsoft 365 users. First observed on February 19, 2026, the kit is sold over Telegram and is under continuous development, with its author planning to add support for Gmail and Okta phishing pages.

According to research by Sekoia, the campaign has already compromised more than 340 Microsoft 365 organizations across the United States, Canada, France, Australia, India, Switzerland, and the United Arab Emirates. Targeted sectors include finance, HR, logistics, sales, healthcare, legal services, and local government.

How Device Code Phishing Works

Device code authentication was designed for devices without a keyboard, like smart TVs or IoT hardware, that need to sign into Microsoft services. The flow works like this: the device displays a code, the user enters that code on a separate device with a browser, and once authenticated, the original device receives access tokens.

EvilTokens abuses this flow. The attack sequence runs as follows:

  • Victims receive emails containing documents (PDFs, HTML files, DOCX, XLSX, or SVG) with QR codes or hyperlinks
  • Clicking the link takes the victim to a phishing page that mimics Adobe Acrobat, DocuSign, or a similar trusted service
  • The page displays a verification code and a "Continue to Microsoft" button
  • Clicking that button redirects the victim to the real Microsoft device login page
  • Once the victim authenticates, the attacker harvests both the short lived access token and the long lived refresh token

The critical detail: because the victim authenticates on the real Microsoft login page, multi factor authentication provides no protection. The MFA challenge is completed by the victim, and the resulting tokens are captured by the attacker.

What Attackers Get

Once the tokens are harvested, the attacker has immediate access to everything associated with the victim's Microsoft 365 account:

  • Full email access, including the ability to send messages as the victim
  • OneDrive and SharePoint files
  • Microsoft Teams conversations and data
  • SSO impersonation across all connected Microsoft services

This access enables business email compromise (BEC) attacks, where the attacker uses a legitimate account to send fraudulent invoices, redirect payments, or steal sensitive documents. The FBI estimates BEC attacks cost organizations over $55 billion globally between 2013 and 2025.

Why This Is Different From Regular Phishing

Traditional phishing creates a fake login page to steal usernames and passwords. Modern defenses like MFA make those attacks significantly harder because the attacker also needs the second factor.

Device code phishing sidesteps this entirely. The victim never enters their password on a fake page. They authenticate on the real Microsoft site, complete MFA on their own device, and unknowingly authorize a session that the attacker controls. From the victim's perspective, everything looks legitimate because it is legitimate, until the token is stolen.

This represents a growing trend in advanced phishing techniques that bypass traditional security measures. Adversary in the middle (AITM) and device code phishing are increasingly replacing simple credential harvesting as the primary attack vector.

The Phishing as a Service Economy

EvilTokens is part of a growing underground economy where sophisticated attack tools are packaged and sold as turnkey products. Like legitimate SaaS platforms, these kits offer customer support, regular updates, and feature roadmaps. The barrier to entry for launching sophisticated phishing campaigns has dropped to the price of a Telegram subscription and a few hundred dollars.

This follows the same pattern seen with the Tycoon 2FA phishing service, which was responsible for 62% of phishing attacks before Europol seized its infrastructure in March 2026. When law enforcement takes down one platform, replacements appear within weeks.

How to Protect Your Organization

Device code phishing exploits a legitimate OAuth flow, which makes it harder to block without disrupting normal operations. Here is what security teams should consider:

  • Restrict or disable device code authentication in Azure AD conditional access policies if your organization does not use IoT or limited input devices
  • Monitor for unusual device code authentication events in Azure AD sign in logs
  • Implement conditional access policies that restrict token issuance to compliant or managed devices only
  • Train employees to recognize unexpected "device code" or "verification code" prompts, especially when they arrive via email
  • Deploy email security solutions that can detect and quarantine messages containing suspicious QR codes or device code lures
  • Review Sekoia's published indicators of compromise and YARA rules for EvilTokens infrastructure

The Bottom Line

EvilTokens demonstrates that MFA alone is no longer sufficient to protect Microsoft 365 accounts. Device code phishing turns the authentication system against itself, using the real Microsoft login page as the weapon. With 340 organizations already compromised across seven countries and the kit actively expanding, this threat is growing faster than most security teams can respond.

If your organization uses Microsoft 365, check whether device code authentication is enabled in your Azure AD tenant. If nobody needs it, disable it today.