EvilTokens phishing kit fuels spike in Microsoft 365 device code attacks

A newly documented phishing toolkit sold on Telegram is lowering the barrier for attackers to steal Microsoft 365 access tokens without ever capturing a password or bypassing multi-factor authentication.

What happened

Security researchers have documented a notable increase in device code phishing attacks targeting Microsoft 365 users, attributing the increase to a new phishing-as-a-service toolkit called EvilTokens. According to Help Net Security, EvilTokens is sold to cybercriminals via Telegram and automates the entire device code phishing workflow, including generating AI-written phishing emails, hosting convincing decoy pages, and handling all interactions with Microsoft's authentication API on behalf of the attacker. Device code phishing is an attack technique that abuses Microsoft's OAuth device authorization flow, a mechanism originally designed to allow users to sign into devices such as smart TVs, printers, and IoT devices that cannot easily display a browser login page. Attackers initiate a legitimate authentication request, then trick targets into entering the resulting code on a real Microsoft login page, unknowingly granting the attacker persistent access tokens for the victim's account.

Going deeper

EvilTokens provides operators with phishing templates impersonating trusted Microsoft services and common enterprise workflows, including email quarantine notices, calendar invites, SharePoint access requests, password expiry warnings, DocuSign and Adobe Acrobat Sign requests, OneDrive shared document notifications, and eFax alerts. According to BleepingComputer, the kit was first made available in mid-February 2026 and has already been used in campaigns with global reach, with the most affected countries being the United States, Canada, France, Australia, India, Switzerland, and the UAE. Once a victim completes the authentication flow, the attacker receives both a short-lived access token and a refresh token, which provides persistent access to the compromised account including email, files, Teams data, and the ability to impersonate the user across Microsoft services. In more advanced post-compromise scenarios, researchers noted that attackers can use the refresh token to register an additional device in Microsoft Entra ID, then request a Primary Refresh Token that silently authenticates them as the victim across the organization's Microsoft 365 applications without any further credential prompt.

In the know

Device code phishing has been documented as an active tactic for more than a year across both state-sponsored and financially motivated threat groups. According to The Hacker News, Russia-aligned clusters including Storm-2372, APT29, UTA0304, and UTA0307 were documented using device code phishing to compromise Microsoft 365 accounts as early as February 2025, targeting government, think tank, academic, and transportation organizations across the United States and Europe. What EvilTokens represents is the commercialization and commoditization of that technique: a capability previously associated with nation-state actors is now available on Telegram to low-skill operators for a subscription fee, with AI-generated lures, built-in post-compromise triage tools, and 24/7 customer support.

The big picture

The emergence of EvilTokens follows a pattern in which sophisticated attack techniques migrate from state-sponsored campaigns into the criminal ecosystem and become accessible to a much wider pool of attackers. For healthcare organizations, the risk is compounded by how heavily the sector depends on Microsoft 365. According to Paubox's 2026 Healthcare Email Security Report, Microsoft 365 is used by approximately 79 percent of healthcare organizations and accounted for 53 percent of breached organizations in 2025, up from 43 percent the previous year. The same report found that 31 percent of breached Microsoft 365 environments were classified as high risk, indicating a consistent gap between what organizations pay for in security tools and how those tools are actually configured. Device code phishing bypasses the MFA controls that many healthcare organizations treat as their primary defense, meaning that organizations whose security posture depends heavily on MFA without additional Conditional Access restrictions remain exposed to this specific attack pattern.

FAQs

What is device code phishing, and how does it bypass multi-factor authentication?

Device code phishing abuses Microsoft's OAuth device authorization flow by initiating a legitimate authentication request and tricking the victim into entering the resulting code on the real Microsoft login page. Because the victim completes a genuine authentication step, MFA is satisfied as part of the process, and the attacker receives valid access and refresh tokens without ever capturing the victim's password or needing to intercept an MFA code.

What is a refresh token, and why does it create persistent access?

A refresh token is a long-lived credential that allows an application to continue requesting new access tokens on behalf of the user without requiring them to log in again. Once an attacker obtains a refresh token through device code phishing, they can maintain access to the compromised account for an extended period, even if the victim changes their password, unless the token is explicitly revoked.

What types of organizations are EvilTokens campaigns primarily targeting?

Documented campaigns have focused on employees in finance, HR, and transportation and logistics sectors, using lures such as salary-related notices, document sharing alerts, and eFax notifications. The healthcare sector is exposed, given its heavy reliance on Microsoft 365 and its compliance-driven workflows that can make authentic-looking authority notifications difficult to question.

How can organizations block device code phishing attacks?

The most effective control is a Microsoft Entra Conditional Access policy that blocks the device code authentication flow entirely for users who do not require it, or limits it to approved users, devices, and locations. Organizations should also monitor sign-in logs for device code authentication events from unexpected locations and revoke refresh tokens immediately where compromise is suspected.

What makes EvilTokens different from existing phishing toolkits?

Most phishing kits rely on adversary-in-the-middle techniques that intercept credentials and MFA codes in real time. EvilTokens is the first publicly documented kit that offers built-in device code phishing alongside post-compromise triage tools specifically designed to identify valuable content in compromised accounts, making it a more complete account takeover platform rather than a simple credential harvesting tool.