OAuth device-code phishing campaign targeting SaaS accounts
Campaign
Summary
Hide ▲
Show ▼
A device code phishing campaign now includes EvilTokens, a phishing-as-a-service kit sold on Telegram that uses the OAuth 2.0 device authorization flow to hijack Microsoft accounts and steal access tokens and refresh tokens for persistent access and BEC. Sekoia reported that the infrastructure had global reach, with the most affected countries including the United States, Canada, France, Australia, India, Switzerland, and the UAE, and the operator says support for Gmail and Okta phishing pages is planned.
Related Happenings
Kali365 Microsoft 365 device-code phishing campaign
Campaign
First: 25.05.2026 15:45
Last: 25.05.2026 15:45
Sources 1
About this happening:
A **Kali365** phishing campaign is targeting **Microsoft 365** environments worldwide with **device-code login lures**, putting accounts at risk of **token theft** and **MFA bypas...
Kali365 Microsoft 365 device-code phishing campaign
CampaignAbout this happening: A **Kali365** phishing campaign is targeting **Microsoft 365** environments worldwide with **device-code login lures**, putting accounts at risk of **token theft** and **MFA bypas...
CypherLoc phishing-led browser scareware campaign
Campaign
First: 20.05.2026 13:00
Last: 20.05.2026 13:00
Sources 1
About this happening:
The **CypherLoc** operation has driven **around 2.8 million attacks** since the start of **2026**, using **phishing emails** to send users to malicious pages that lock browsers an...
CypherLoc phishing-led browser scareware campaign
CampaignAbout this happening: The **CypherLoc** operation has driven **around 2.8 million attacks** since the start of **2026**, using **phishing emails** to send users to malicious pages that lock browsers an...
EvilTokens Microsoft 365 consent phishing campaign
Campaign
First: 19.05.2026 14:30
Last: 19.05.2026 14:30
Sources 1
About this happening:
The **EvilTokens** campaign rapidly compromised **more than 340 Microsoft 365 organizations** across **five countries**, showing how **OAuth grant abuse** can bypass **MFA** and c...
EvilTokens Microsoft 365 consent phishing campaign
CampaignAbout this happening: The **EvilTokens** campaign rapidly compromised **more than 340 Microsoft 365 organizations** across **five countries**, showing how **OAuth grant abuse** can bypass **MFA** and c...
Tycoon2FA device-code phishing campaign targeting Microsoft 365
Campaign
First: 17.05.2026 17:43
Last: 17.05.2026 17:43
Sources 1
About this happening:
The **Tycoon2FA** phishing operation added **device-code phishing** to hijack **Microsoft 365** accounts, expanding its ability to steal access tokens and reach email, calendar, a...
Tycoon2FA device-code phishing campaign targeting Microsoft 365
CampaignAbout this happening: The **Tycoon2FA** phishing operation added **device-code phishing** to hijack **Microsoft 365** accounts, expanding its ability to steal access tokens and reach email, calendar, a...
TCLBanker self-spreading banking trojan
Malware Activity
First: 08.05.2026 01:06
Last: 08.05.2026 01:06
Sources 1
About this happening:
The **TCLBanker** trojan now combines **trojanized installer** delivery with **self-spreading worm modules**, widening access to **59 banking, fintech, and cryptocurrency platform...
TCLBanker self-spreading banking trojan
Malware ActivityAbout this happening: The **TCLBanker** trojan now combines **trojanized installer** delivery with **self-spreading worm modules**, widening access to **59 banking, fintech, and cryptocurrency platform...
Timeline
-
04.04.2026 17:17 3 articles · 1mo ago
Device code phishing campaign expands across SaaS-themed phishing kits
Campaign Scope UpdatePush Security reported that device code phishing abusing the OAuth 2.0 Device Authorization Grant flow had risen 37.5x this year, with EvilTokens identified as a major driver and at least 11 kits circulating across SaaS-themed lures and cloud-hosted infrastructure. Sekoia separately published research on EvilTokens earlier that week, and Push recommended disabling device-code flow where unnecessary through conditional access policies and monitoring for unexpected device code authentication events, unusual IP addresses, and unfamiliar sessions.
Show sources
- Device code phishing attacks surge 37x as new kits spread online — www.bleepingcomputer.com — 04.04.2026 17:17
- Tycoon 2FA Phishers Scatter, Adopt Device Code Phishing — www.darkreading.com — 17.04.2026 22:05
- New EvilTokens service fuels Microsoft device code phishing attacks — www.bleepingcomputer.com — 01.04.2026 22:42