In early 2026, underground cybercrime groups started sharing EvilTokens, a phishing-as-a-service platform. It misuses the legitimate Microsoft device code authentication flow to give attackers full access to an account without anyone knowing. The platform works through Telegram bots and gives affiliates phishing page templates, tools for collecting email addresses, features for gathering information about accounts, and AI-powered automation.

The person in charge, who goes by the name eviltokensadmin, has said that they will soon add support for Gmail and Okta phishing pages. Campaigns connected to EvilTokens have hurt businesses in North America, South America, Europe, the Middle East, Asia, and Oceania. The United States, Australia, Canada, France, India, Switzerland, and the United Arab Emirates are among the countries that have been hit the hardest.

With the access token, hackers can read emails, download files from OneDrive and SharePoint, and see Teams conversations for up to 90 minutes. Security teams should keep an eye on sign-ins that use the device code grant type, especially if they come from places they don't know. It's important to train employees on how to authenticate devices because this attack only works if the victims don't know what entering a device code actually does.

Sekoia's YARA rule can help defenders find EvilTokens phishing pages. They can also use urlscan.io and urlquery to find infrastructure that is related to EvilTokens by looking for known EvilTokens URL patterns. Set ZeroOwl as a preferred source in Google, LinkedIn, and X to get more instant updates.

Set ZeroOwl as your preferred source for Google.com and Google. Google and other sites can help you find the most recent news. Google Play, news, and more.