Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

EvilTokens phishing-as-a-service operation expands device code phishing and BEC

Threat Actor Meta
First reported
Last updated
Happening score
H score 41
2 unique sources, 2 articles

Summary

Hide ▲

EvilTokens has been commercialized on Telegram as a continuously developed phishing-as-a-service kit, expanding device code phishing and BEC capabilities at scale. The operation matters because it lowers the barrier for criminal customers to steal Microsoft session tokens and extend access across enterprise accounts. Planned support for Gmail and Okta phishing pages suggests the ecosystem may broaden beyond Microsoft-focused abuse.

Related Happenings

Kali365 Microsoft 365 device-code phishing campaign

Campaign
First: 25.05.2026 15:45 Last: 25.05.2026 15:45 Sources 1

About this happening: A **Kali365** phishing campaign is targeting **Microsoft 365** environments worldwide with **device-code login lures**, putting accounts at risk of **token theft** and **MFA bypas...

Open Happening

CypherLoc phishing-led browser scareware campaign

Campaign
First: 20.05.2026 13:00 Last: 20.05.2026 13:00 Sources 1

About this happening: The **CypherLoc** operation has driven **around 2.8 million attacks** since the start of **2026**, using **phishing emails** to send users to malicious pages that lock browsers an...

Open Happening

EvilTokens Microsoft 365 consent phishing campaign

Campaign
First: 19.05.2026 14:30 Last: 19.05.2026 14:30 Sources 1

How related: In February 2026, a phishing-as-a-service (PhaaS) platform called EvilTokens went live. Within five weeks, it had compromised more than 340 Microsoft 365 organizations across five countries.

About this happening: The **EvilTokens** campaign rapidly compromised **more than 340 Microsoft 365 organizations** across **five countries**, showing how **OAuth grant abuse** can bypass **MFA** and c...

Open Happening

W3LL Microsoft 365 adversary-in-the-middle phishing campaign

Campaign
First: 13.04.2026 21:55 Last: 13.04.2026 21:55 Sources 1

About this happening: The **W3LL** phishing operation turned into a high-volume **Microsoft 365** credential-theft campaign, exposing **more than 17,000 victims worldwide** to **BEC** risk. The kit use...

Open Happening

OAuth device-code phishing campaign targeting SaaS accounts

Campaign
First: 04.04.2026 17:17 Last: 04.04.2026 17:17 Sources 1

How related: Sekoia researchers examined EvilTokens' infrastructure and uncovered campaigns with a global reach, the most affected countries being the United States, Canada, France, Australia, India, Switzerland, and the UAE.

About this happening: A **device code phishing** campaign now includes **EvilTokens**, a **phishing-as-a-service** kit sold on **Telegram** that uses the **OAuth 2.0 device authorization flow** to hija...

Open Happening

Timeline

  1. 01.04.2026 22:42 3 articles · 1mo ago

    EvilTokens adds Microsoft device code phishing and BEC features

    Initial Disclosure

    EvilTokens is a phishing-as-a-service kit sold over Telegram that abuses Microsoft device code phishing to steal access tokens and refresh tokens, enabling persistent access and business email compromise. Sekoia observed victims receiving PDF, HTML, DOCX, XLSX, or SVG lure documents that contained QR codes or hyperlinks to EvilTokens phishing templates, and noted that the operator plans to extend support to Gmail and Okta phishing pages. The campaign infrastructure showed global reach, with activity affecting the United States, Canada, France, Australia, India, Switzerland, and the UAE.

    Show sources
    Open in new tab