A phishing-as-a-service platform selling Microsoft 365 account access for as little as $600 has scaled to the point where no two phishing lures it generates are identical, removing the pattern-matching that email security tools rely on to catch mass campaigns.

 

What happened

EvilTokens, a phishing-as-a-service platform targeting Microsoft 365 accounts through device code authentication abuse, has driven a 1,380% increase in device code phishing attacks between the second half of 2025 and the first four months of 2026, with over 50% of those incidents linked to two major waves of coordinated activity. According to BleepingComputer, EvilTokens launched in mid-February 2026 on Telegram and within five weeks had compromised more than 340 Microsoft 365 organizations across five countries. The platform is sold in three subscription tiers priced at $600, $1,000, and $1,500, and includes AI-generated phishing lures, automated campaign templates, and real-time tracking of targeted individuals. Researchers noted that across hundreds of documented EvilTokens incidents, no two phishing lures were identical, a level of per-victim personalization previously only achievable through manually crafted, targeted attacks. The platform bypasses multi-factor authentication entirely, capturing OAuth tokens rather than passwords or MFA codes.

 

Going deeper

EvilTokens abuses Microsoft's OAuth 2.0 device authorization flow, a legitimate feature designed to allow devices without keyboards, such as smart TVs, printers, and conference room systems, to authenticate using a short code entered on a separate device. Attackers initiate the flow themselves to generate a code, then send victims a phishing email impersonating a trusted service such as Adobe Acrobat, DocuSign, or SharePoint, instructing them to enter the code at Microsoft's real login page. When the victim completes the step and their normal MFA challenge, Microsoft issues a valid OAuth token to the attacker's session. The attacker gains access to the victim's email, files, Teams data, and any other Microsoft service connected through single sign-on, with a token that survives password resets and remains valid for weeks or months, depending on how the organization has configured token lifespans. According to The Register, Microsoft VP of Security Research Tanmay Ganacharya confirmed that since March 15, 2026, Microsoft had observed 10 to 15 distinct device code phishing campaigns launching every 24 hours, with "hundreds of compromises occurring daily across affected environments."

 

What was said

Researchers stated in their analysis cited by BleepingComputer that EvilTokens represents "a clear maturation of the phishing-as-a-service market as threat actors increasingly integrate AI workflows into their product offerings," and that "this level of per-victim personalization was previously limited to targeted, manually crafted campaigns. Now, it's achievable at scale by any threat actor at the price of a subscription service." Tanmay Ganacharya of Microsoft told The Register that each campaign uses "highly varied and unique payloads, making pattern-based detection more challenging."

 

In the know

EvilTokens is not operating in isolation. According to BleepingComputer, device code phishing detections surged 37.5 times in the first quarter of 2026, with at least 11 competing platforms now active in the market, including Tycoon2FA, Kali365, and VENOM. The FBI issued a formal warning about Kali365 in May 2026, and Microsoft confirmed EvilTokens infrastructure contributed to a March 17, 2026, campaign that sent 1.5 million confirmed malicious messages to 179,000 organizations across 43 countries. Healthcare was identified by Microsoft as the most targeted sector across multiple device code phishing campaigns in Q1 2026.

 

The big picture

EvilTokens removes two assumptions that healthcare security programs have historically relied on. The first is that mass phishing campaigns are detectable through pattern-based filtering because they reuse the same templates. AI-generated per-victim personalization eliminates that pattern. The second is that MFA provides meaningful protection against credential theft. Device code phishing bypasses MFA by design because the victim completes the legitimate MFA challenge themselves while unknowingly authorizing the attacker's session. According to Paubox's 2026 Healthcare Email Security Report, 53% of breached healthcare organizations in 2025 used Microsoft 365, and the platform's OAuth infrastructure is exactly what EvilTokens and its competitors are built to exploit. A compromised Microsoft 365 account at a healthcare organization provides access to patient scheduling, billing, referrals, and clinical communications simultaneously, without the attacker ever obtaining a password or triggering an MFA alert.

 

FAQs

What is device code phishing, and how does it differ from standard credential phishing?

Standard credential phishing captures a username and password through a fake login page. Device code phishing captures an OAuth token, a digital key that grants access to an account by tricking the victim into completing a legitimate Microsoft authentication step that was initiated by the attacker. No password is stolen, and no fake login page is involved, which is why standard phishing defenses do not catch it.

 

Why does the stolen OAuth token survive a password reset?

OAuth tokens are issued independently of the account password. Changing the password tells Microsoft the user's credentials have changed, but the token that was issued before the reset remains valid until it expires or is explicitly revoked. An attacker holding a valid token retains account access even after the victim resets their password, unless the organization also revokes all active tokens.

 

What does per-victim personalization mean for email security filters?

Email security filters detect mass phishing campaigns by identifying patterns that repeat across many messages, such as the same subject line, the same URL structure, and the same sender domain. When AI generates a unique lure for each recipient, those patterns disappear. Each message looks like a one-off email rather than part of a campaign, removing the signal that filters use to classify bulk phishing as malicious.

 

What is the most direct control against device code phishing?

Microsoft's Conditional Access policies include an Authentication Flows condition that can block the device code authorization flow entirely for user accounts that have no legitimate need for it. Restricting the flow to specific approved device types eliminates the mechanism that EvilTokens and similar platforms exploit, regardless of how convincing the phishing lure is.

 

How does EvilTokens operate as a business, and what does the subscription model reveal?

EvilTokens runs a tiered subscription model with 24/7 support, customer feedback channels, and continuous product updates, a structure that mirrors a legitimate software-as-a-service company. The business model means operators have a financial incentive to keep improving the platform, respond to takedowns, and expand capabilities. It also means the platform's capabilities are available to any criminal willing to pay $600, with no technical skill required.