EvilTokens Phishing Kit Uses Microsoft Device Codes to Bypass MFA

Organizations around the world are being quietly breached through a new Microsoft device‑code phishing operation that blends automation and AI to slip past traditional defenses. It allows attackers to hijack a legitimate login process to gain persistent access to corporate email accounts and steal sensitive financial information.

This new malicious phishing kit, called EvilTokens, was first discovered by SEKOIA’s Threat Detection & Research team in March 2026. It has been actively used since mid‑February and is spreading rapidly among cybercriminals.

EvilTokens is a turnkey phishing kit sold as a service that primarily targets Microsoft 365 users. It is designed to lower the barrier for attackers by providing ready‑made phishing pages, automation tools, and post‑compromise features. The service is operated and updated via Telegram bots, which makes it easier for affiliates to deploy and manage attacks.

How attackers abuse Microsoft’s legitimate login flow?

The attack begins with a phishing email or document lure that impersonates routine business activity (such as invoices, shared files, or meeting requests) and directs the victim to a fake landing page. That page displays a legitimate Microsoft device login code and instructs the user to “verify” their identity by entering the code on Microsoft’s real sign‑in site, which unknowingly authorizes the attacker’s session.

Once the victim completes the login and any multifactor authentication (MFA) challenge, the attacker receives valid access and refresh tokens, which are then used to silently access the victim’s Microsoft 365 account, read emails, harvest contacts, and conduct internal reconnaissance. It often leads to financial fraud or business email compromise without ever stealing a password.

Why are traditional security controls failing?

Security controls that look for fake domains or credential interception often fail to detect the attack because the authentication occurs on genuine Microsoft infrastructure. Once authorization is completed, attackers receive valid access and refresh tokens, which allow persistent access to the victim’s Microsoft 365 environment without needing passwords.

EvilTokens is not limited to initial account access. The kit enables token weaponization that allows attackers to read emails, harvest contacts, and perform internal reconnaissance. It even includes a built‑in webmail interface, which enables attackers to operate directly within compromised mailboxes and prepare more sophisticated fraud, such as business email compromise (BEC).

According to SEKOIA, EvilTokens has been quickly adopted by threat actors already involved in BEC and adversary‑in‑the‑middle phishing. Researchers predict that EvilTokens will become a major competitor in the phishing and BEC ecosystem due to its automation, ease of use, and stealthy authentication abuse.

How can organizations detect and mitigate token abuse?

To reduce the risk of device‑code phishing attacks, organizations should control or restrict the use of device code authentication where it is not required and monitor sign‑in logs for unusual or unexpected device‑based login activity. Strong conditional access policies can help minimize abuse even when tokens are issued legitimately. These include enforcing phishing‑resistant MFA methods, limiting token lifetimes, and blocking logins from unfamiliar locations or devices.

Security teams should also train employees to recognize verification prompts they did not initiate, disable overly permissive OAuth app and token permissions, and deploy detection rules focused on anomalous token usage and post‑login behavior rather than just credential theft.