EvilTokens: PhaaS Kit Abusing OAuth Device Code Flow on Microsoft 365
Published
Key Takeaways
- PhaaS Kit: EvilTokens is a phishing-as-a-service kit built to compromise Microsoft 365 accounts by abusing the OAuth 2.0 device authorization grant flow.
- Wide Campaigns: Advertised via Telegram, it was deployed against more than 340 organizations across several countries in March 2026.
- 2FA Bypass: The kit defeats two-factor authentication by tricking victims into completing 2FA for the attacker's session.
EvilTokens is a phishing-as-a-service (PhaaS) kit built to compromise Microsoft 365 accounts by abusing the OAuth 2.0 device authorization grant flow. Rather than harvesting passwords through fake login pages, the kit weaponizes a legitimate authentication process, making it a notable evolution in account takeover tradecraft.
How EvilTokens Operates
ESET researchers documented the attack flow, saying the hackers send lures disguised as invoices, shared documents, calendar invites, or SharePoint access requests.
When a victim clicks through, the page requests a devicea code from Microsoft that is valid for only 15 minutes.
The catch is that the code belongs to the attacker's session, so the victim unknowingly authorizes the attacker's device rather than their own. Microsoft then issues access and refresh tokens to the attacker's session.
Once inside, attackers can access corporate email, files, Teams, SharePoint, OneDrive, and other Microsoft 365 resources, and prepare business email compromise (BEC) attacks. The phishing toolkit has been advertised via Telegram channels and spotted in active attacks since at least February 2026.
Why the Threat Is Dangerous
The OAuth device code flow was designed for devices such as smart TVs or printers, which require a short code to be entered on a Microsoft page on another device to complete authentication, after which Microsoft issues access tokens to the initial device.
“Attackers can generate the code and dupe the victim into entering it – all while Microsoft only sees a valid authentication flow,” the ESET report says.
Cybersecurity researchers previously documented the kit, with Sekoia saying it was deployed in a campaign targeting more than 340 organizations in several countries in March 2026.
Microsoft also described an AI-enabled campaign that used dynamic device-code generation to increase EvilTokens attack success rates. Critically, the attack bypasses 2FA not through technical exploits but by tricking the victim into completing 2FA for the attacker's session.
Recommendations:
- Microsoft recommends applying Conditional Access policies to block device code flow where it is not necessary.
- Watch for unusual device-code authentication, unfamiliar devices, risky sign-ins, suspicious token use, and new inbox rules.
In early June, Arctic Wolf Labs tracked a Kali365 PhaaS operation first seen in April 2026 that started targeting Microsoft, Okta, DocuShare, AWS, MAX Messenger, and more in early June. In January, Okta SSO accounts were targeted in an alleged ShinyHunters phishing campaign that used custom PhaaS kits.
Related
Get expert insights on threats, breaches, scams, and security trends — delivered every Monday.
Most Popular
Get expert insights on threats, breaches, scams, and security trends — delivered every Monday.
Most Popular