Find notable cyber news and cases, enriched with sources, timelines, and signals.

EvilTokens phishing-as-a-service operation expands device code phishing and BEC

Threat Actor Meta
First reported
Last updated
Happening score
H score 44
2 unique sources, 3 articles

Summary

Hide ▲

EvilTokens is part of a broader phishing-as-a-service ecosystem that packages Microsoft 365 device-code phishing for criminal operators. Cisco Talos described ARToken as a related PhaaS panel that shares infrastructure, API contracts, and operational patterns with EvilTokens, while ZeroBEC reported a late June 2026 into early July campaign using collaboration-themed lures to drive victims through the legitimate Microsoft device login flow and enable account takeover by recovering session tokens. The activity shows how reusable broker tooling such as DEBULL and related operator panels lower the barrier for BEC, email access, and SharePoint exfiltration.

Related Happenings

O-UNC-066 / Pink Microsoft Entra passkey vishing campaign

Campaign
H score37 First: 08.07.2026 19:47 Last: 08.07.2026 19:47 Sources 1

About this happening: The **O-UNC-066 / Pink** operation is using **voice-based phishing** to push **Microsoft 365** users into enrolling attacker-controlled **Entra passkeys**, creating a direct path...

Kali365 Microsoft 365 device-code phishing campaign

Campaign
H score46 First: 25.05.2026 15:45 Last: 25.05.2026 15:45 Sources 1

About this happening: A **Kali365** phishing campaign is targeting **Microsoft 365** environments worldwide with **device-code login lures**, putting accounts at risk of **token theft** and **MFA bypas...

CypherLoc phishing-led browser scareware campaign

Campaign
H score49 First: 20.05.2026 13:00 Last: 20.05.2026 13:00 Sources 1

About this happening: The **CypherLoc** operation has driven **around 2.8 million attacks** since the start of **2026**, using **phishing emails** to send users to malicious pages that lock browsers an...

EvilTokens Microsoft 365 consent phishing campaign

Campaign
H score39 First: 19.05.2026 14:30 Last: 19.05.2026 14:30 Sources 1

How related: In February 2026, a phishing-as-a-service (PhaaS) platform called EvilTokens went live. Within five weeks, it had compromised more than 340 Microsoft 365 organizations across five countries.

About this happening: The **EvilTokens** campaign rapidly compromised **more than 340 Microsoft 365 organizations** across **five countries**, showing how **OAuth grant abuse** can bypass **MFA** and c...

W3LL Microsoft 365 adversary-in-the-middle phishing campaign

Campaign
H score39 First: 13.04.2026 21:55 Last: 13.04.2026 21:55 Sources 1

About this happening: The **W3LL** phishing operation turned into a high-volume **Microsoft 365** credential-theft campaign, exposing **more than 17,000 victims worldwide** to **BEC** risk. The kit use...

Timeline

  1. 01.04.2026 22:42 4 articles · 3mo ago

    EvilTokens adds Microsoft device code phishing and BEC features

    Initial Disclosure

    EvilTokens is a phishing-as-a-service kit sold over Telegram that abuses Microsoft device code phishing to steal access tokens and refresh tokens, enabling persistent access and business email compromise. Sekoia observed victims receiving PDF, HTML, DOCX, XLSX, or SVG lure documents that contained QR codes or hyperlinks to EvilTokens phishing templates, and noted that the operator plans to extend support to Gmail and Okta phishing pages. The campaign infrastructure showed global reach, with activity affecting the United States, Canada, France, Australia, India, Switzerland, and the UAE.

    Show sources