EvilTokens Phishing Kit Exploits Microsoft Device Login to Hijack Accounts at Scale

Overview

A newly identified phishing-as-a-service (PhaaS) platform, dubbed EvilTokens, is rapidly gaining traction among cybercriminals, enabling large-scale account takeovers through a novel technique known as device code phishing. First observed in early 2026, the toolkit is being widely adopted for Business Email Compromise (BEC) attacks and advanced credential theft campaigns.

A New Twist on Phishing Attacks

Unlike traditional phishing kits that replicate login pages, EvilTokens leverages Microsoft’s legitimate device authentication flow. Instead of stealing passwords directly, attackers trick victims into entering a verification code on an official Microsoft login page, unknowingly granting attackers access to their accounts.

This method abuses the OAuth device authorization process, commonly used for smart TVs and IoT devices, where users authenticate on a secondary device. Once the victim completes the login, attackers receive access and refresh tokens, enabling immediate and persistent access to sensitive data.

Advanced Features for Account Takeover

EvilTokens stands out by offering a fully automated attack ecosystem. The kit provides phishing templates impersonating trusted services like DocuSign, SharePoint, and Adobe Acrobat, making lures highly convincing. Victims are directed to legitimate Microsoft login pages, increasing the likelihood of success.

Beyond initial compromise, the platform allows attackers to convert stolen tokens into long-term access mechanisms, including Primary Refresh Tokens (PRTs). These tokens enable silent authentication across Microsoft services without requiring passwords or multi-factor authentication.

The platform also includes built-in reconnaissance tools, allowing attackers to extract emails, files, and organizational data from compromised accounts.

Global Campaigns and Rapid Adoption

Researchers observed widespread campaigns delivering malicious links through PDF, HTML, and Office documents. These lures often target employees in finance, HR, and logistics sectors, increasing the chances of successful BEC fraud.

The infrastructure behind EvilTokens is extensive, with over 1,000 domains hosting phishing pages and campaigns impacting organizations across the United States, Europe, Asia, and the Middle East.

Why It’s Dangerous

The key risk lies in the technique itself. Because victims authenticate through legitimate Microsoft services, traditional phishing detection tools struggle to identify the attack. Additionally, stolen refresh tokens can remain valid for up to 90 days, allowing attackers to maintain long-term access.

Conclusion

EvilTokens represents a significant evolution in phishing operations, combining social engineering with legitimate authentication workflows. As attackers increasingly exploit trusted systems rather than spoofing them, organizations must adopt behavioral detection strategies and educate users about emerging threats like device code phishing.