EvilTokens represents a sophisticated Phishing-as-a-Service (PhaaS) offering that leverages the OAuth 2.0 device code flow to phish Microsoft account tokens rather than traditional credentials. Attackers use the kit to create turnkey phishing campaigns that trick users into authorizing device codes, which then yield access and refresh tokens. These tokens allow attackers to access Microsoft 365 services such as email, OneDrive, and Teams without needing passwords. The kit includes capabilities to convert harvested tokens into Primary Refresh Tokens (PRTs) and browser cookies, enabling persistent access and evasion of standard detection mechanisms. Post-compromise, attackers can exfiltrate sensitive data and conduct Business Email Compromise (BEC) attacks by impersonating legitimate employees, particularly targeting finance, HR, logistics, and sales personnel. The EvilTokens kit has been rapidly adopted since March 2026, with numerous malicious domains identified as part of its infrastructure. The threat exploits OAuth 2.0’s device code flow, which is designed for devices with limited input capabilities, but here is abused to bypass multi-factor authentication and password protections. The lack of a CVE or known exploits in the wild suggests this is a relatively new threat, but its rapid spread and advanced token manipulation techniques indicate a significant risk to organizations relying on Microsoft cloud services.

The EvilTokens phishing kit can lead to unauthorized access to Microsoft 365 accounts, resulting in significant confidentiality breaches, including exposure of emails, documents, and internal communications. The ability to convert tokens into PRTs and browser cookies allows attackers to maintain persistent access, increasing the risk of prolonged espionage, data theft, and fraudulent activities. Business Email Compromise attacks enabled by this kit can cause financial losses, reputational damage, and operational disruption, especially in targeted departments like finance and HR. Organizations globally face risks of intellectual property theft, regulatory non-compliance due to data breaches, and potential lateral movement within corporate networks. The threat’s use of OAuth tokens circumvents traditional password-based defenses and multi-factor authentication, complicating detection and response efforts. The widespread adoption of Microsoft 365 services means a large attack surface, and the phishing-as-a-service model lowers the barrier for less skilled attackers to launch impactful campaigns. Overall, the threat can severely impact organizational security posture, data integrity, and business continuity.

1. Implement strict conditional access policies in Microsoft 365 to restrict OAuth token issuance and enforce device compliance and location-based access controls. 2. Monitor OAuth token usage and anomalous authentication patterns using Microsoft Cloud App Security or equivalent tools to detect suspicious token activity. 3. Educate employees, especially in finance, HR, logistics, and sales, about device code phishing tactics and how to recognize suspicious authorization prompts. 4. Deploy email security solutions with advanced phishing detection capabilities to block malicious domains and URLs associated with EvilTokens campaigns. 5. Regularly review and revoke suspicious or unused refresh tokens and Primary Refresh Tokens to limit attacker persistence. 6. Enforce multi-factor authentication methods that are resistant to token phishing, such as hardware security keys or certificate-based authentication. 7. Establish rapid incident response procedures to investigate and remediate compromised accounts, including password resets and token revocation. 8. Use endpoint detection and response (EDR) tools to identify post-compromise activities such as data exfiltration or lateral movement. 9. Collaborate with threat intelligence providers to update blocklists for domains linked to EvilTokens infrastructure. 10. Consider implementing OAuth app consent policies to restrict which applications can request tokens within the organization.