Today's cybersecurity headlines are brought to you by ThreatPerspective
Ethical Hacking News

New EvilTokens Service Fuels Microsoft Device Code Phishing Attacks: A Growing Threat to Business Email Compromise




A new malicious kit called EvilTokens integrates device code phishing capabilities, allowing attackers to hijack Microsoft accounts and provide advanced features for business email compromise attacks. The kit is sold to cybercriminals over Telegram and is under continuous development, its author stating that they plan to extend support for Gmail and Okta phishing pages.



  • The EvilTokens phishing kit is being used by cybercriminals to hijack Microsoft accounts and carry out business email compromise (BEC) attacks.
  • Device code phishing attacks exploit the OAuth 2.0 device authorization flow, allowing attackers to gain access to a victim account.
  • The EvilTokens kit uses phishing templates that impersonate legitimate business content to trick employees into clicking on malicious links.
  • Attackers use a verification code and instructions to complete identity verification, prompting the user to click a “Continue to Microsoft” button.
  • The kit provides attackers with short-lived access tokens and refresh tokens for persistent access to services associated with the victim account.
  • Researchers have uncovered global campaigns using EvilTokens, with affected countries including the US, Canada, France, Australia, India, Switzerland, and the UAE.
  • Organizations must take proactive measures to protect themselves against device code phishing attacks, such as educating employees on suspicious emails and implementing robust security controls.



    • Microsoft has recently been alerted to a new phishing kit known as EvilTokens, which is being used by cybercriminals to hijack Microsoft accounts and carry out business email compromise (BEC) attacks. The kit is being sold on Telegram and is under continuous development, with the author stating that they plan to extend support for Gmail and Okta phishing pages.

    Device code phishing attacks abuse the OAuth 2.0 device authorization flow, in which attackers gain access to a victim account by tricking the owner into authorizing a malicious device. This technique has been well-documented and has been used by various threat actors, including Russian groups tracked as Storm-237, UTA032, UTA0355, UNK_AcademicFlare, and TA2723.

    The EvilTokens kit uses phishing templates that impersonate legitimate business content such as financial documents, meeting invitations, logistics or purchase orders, payroll notices, or shared documents via services like DocuSign or SharePoint. These lures are often tailored to employees in finance, HR, logistics, or sales roles, making it easier for attackers to trick them into clicking on the phishing link.

    When a victim opens the link, they are presented with a phishing page that impersonates a trusted service such as Adobe Acrobat or DocuSign. The page displays a verification code and instructions to complete identity verification, prompting the user to click a “Continue to Microsoft” button. At this step, the attacker uses a legitimate client (any Microsoft application) to request a device code. Then, they trick the victim into authenticating to the legitimate Microsoft URL from the threat actor.

    This way, the attacker receives both a short-lived access token and a refresh token for persistent access. These tokens give the attacker immediate access to the services associated with the victim account, including email, files, Teams data, and the capability to perform SSO impersonation across Microsoft services.

    Researchers at Sekoia have examined EvilTokens' infrastructure and uncovered campaigns with a global reach, the most affected countries being the United States, Canada, France, Australia, India, Switzerland, and the UAE. Apart from advanced phishing, the EvilTokens phishing-as-a-service (PhaaS) operation also provides advanced features to conduct BEC attacks through automation.

    The variety of the campaigns suggests that EvilTokens is already being used at scale by threat actors involved in phishing and business email compromise activities. Sekoia provides indicators of compromise (IoC), technical details, and YARA rules to help defenders block attacks leveraging the EvilTokens PhaaS kit.

    In light of this new threat, it is essential for organizations to take proactive measures to protect themselves against device code phishing attacks. This includes educating employees on how to identify and report suspicious emails, implementing robust security controls, and keeping their systems up-to-date with the latest security patches.

    Furthermore, businesses must also consider investing in advanced security solutions that can detect and block phishing attacks before they reach their users. By staying vigilant and proactive, organizations can reduce the risk of falling victim to these types of attacks and protect their sensitive data and operations.

    In conclusion, the EvilTokens service has emerged as a significant threat to business email compromise and Microsoft device code phishing attacks. As this threat continues to evolve, it is crucial for organizations to prioritize security and take proactive measures to protect themselves against these types of attacks.


    A new malicious kit called EvilTokens integrates device code phishing capabilities, allowing attackers to hijack Microsoft accounts and provide advanced features for business email compromise attacks. The kit is sold to cybercriminals over Telegram and is under continuous development, its author stating that they plan to extend support for Gmail and Okta phishing pages.



    Related Information:
  • https://www.ethicalhackingnews.com/articles/New-EvilTokens-Service-Fuels-Microsoft-Device-Code-Phishing-Attacks-A-Growing-Threat-to-Business-Email-Compromise-ehn.shtml

  • https://www.bleepingcomputer.com/news/security/new-eviltokens-service-fuels-microsoft-device-code-phishing-attacks/

  • https://cybersecurefox.com/en/microsoft-365-device-code-phishing-eviltokens-cloudflare-workers/

  • https://vpncentral.com/eviltokens-turns-microsofts-device-code-flow-into-a-phishing-tool-for-account-takeover/

  • https://www.blackhatethicalhacking.com/news/eviltokens-phishing-service-fuels-large-scale-microsoft-365-account-takeover-campaign/

  • https://www.infoq.com/news/2026/03/litellm-supply-chain-attack/

  • https://thehackernews.com/2026/03/axios-supply-chain-attack-pushes-cross.html

  • https://thehackernews.com/2025/12/russia-linked-hackers-use-microsoft-365.html

  • https://bitnewsbot.com/russia-linked-group-uses-device-code-phishing-to/

  • https://www.proofpoint.com/us/blog/threat-insight/access-granted-phishing-device-code-authorization-account-takeover

  • https://cybercory.com/2025/12/22/access-granted-how-device-code-phishing-is-fueling-account-takeovers/

  • https://www.microsoft.com/en-us/security/blog/2025/02/13/storm-2372-conducts-device-code-phishing-campaign/

  • https://cybersecuritynews.com/new-device-code-phishing-attack-exploit-device-code-authentication/

  • https://www.socinvestigation.com/comprehensive-list-of-apt-threat-groups-motives-and-attack-methods/

  • https://www.fbi.gov/wanted/cyber/apt-41-group

  • https://securityonline.info/russian-apt-uta0355-steals-microsoft-365-oauth-tokens-via-fake-security-conference-lures-and-whatsapp-support/

  • https://www.volexity.com/blog/2025/04/22/phishing-for-codes-russian-threat-actors-target-microsoft-365-oauth-workflows/

  • https://ransomsecurity.com/device-code-phishing-microsoft-365-attacks


    • Published: Wed Apr 1 15:21:00 2026 by llama3.2 3B Q4_K_M


    © Ethical Hacking News . All rights reserved.

    Privacy | Terms of Use | Contact Us