EvilTokens: The Phishing Kit That Renders Your MFA Useless and Has Already Compromised 340+ Microsoft 365 Organisations

Since February 2026, a phishing-as-a-service platform called EvilTokens has been silently compromising Microsoft 365 organisations worldwide. Its defining characteristic is radical: it does not steal passwords, triggers no MFA alerts and uses no fake login pages. Everything happens on real Microsoft infrastructure. The victim completes their own multi-factor authentication process on the legitimate Microsoft page and, without realising it, hands the attacker a valid OAuth token with persistent access to their corporate email, OneDrive, SharePoint, Teams, contacts and calendar. The Hacker News is amplifying it today with Bolster AI’s full analysis. It is the most significant identity threat of 2026 for organisations using Microsoft 365 — and that is practically everyone.

‍

What is EvilTokens and what has happened?

Facts documented by SEKOIA Threat Detection & Research (31 March 2026), Huntress (19 February 2026), Bolster AI, Palo Alto Unit 42, AppOmni and The Hacker News:

• First observed activity: 15–19 February 2026. Huntress detected the first active cases on 19 February.
• Scale in 5 weeks: in under five weeks from launch, EvilTokens had compromised over 340 Microsoft 365 organisations across seven countries: the United States, Canada, France, Australia, India, Switzerland and the United Arab Emirates.
• Affected sectors: finance, HR, logistics, sales, healthcare, legal services, local government, construction, NGOs, real estate and manufacturing.
• Criminal business model: PhaaS distributed via Telegram at plans ranging from $299 to $499 per month in cryptocurrency. 24/7 support. The operator has announced plans to add Gmail and Okta support in upcoming versions.
• Technical origin: abuses the OAuth 2.0 Device Authorization Grant flow, a legitimate Microsoft mechanism designed to allow keyboardless devices — smart TVs, printers, IoT devices — to authenticate with Microsoft 365.
• The token survives a password reset: the refresh tokens EvilTokens issues survive password resets and remain valid for weeks or months depending on the tenant configuration. Only explicit revocation or a Conditional Access policy requiring re-consent closes the access.
• State-level precedent: the Device Code Phishing flow was previously used by state-sponsored groups such as Storm-2372 and APT29 against governments and academic organisations from at least February 2025. EvilTokens is the commercialisation of that technique: what was an APT capability is now available on Telegram to operators without advanced technical skills.

‍

Why Microsoft 365 is the most valuable target for this type of attack

Compromising Microsoft 365 is not just compromising an email account. It is potentially compromising an organisation’s entire digital infrastructure. Four factors explain why EvilTokens focuses exclusively on Microsoft 365:

1. Maximum impact surface with a single account. A valid Microsoft 365 OAuth token gives access to email (Exchange), corporate files (OneDrive, SharePoint), internal communications (Teams), calendar and the contacts directory. A single victim can open the door to the entire organisation via Business Email Compromise (BEC), internal impersonation or exfiltration of critical documents.
2. User trust in microsoft.com is the vector. Unlike classic phishing, EvilTokens does not need the victim to visit a fake URL. The instruction is to go to microsoft.com/devicelogin — a 100% legitimate, verified URL. Every visual security signal the user has been trained to check (HTTPS, real domain, valid certificate) is present. Because the site is real.
3. Full MFA does not protect against it. The victim completes their additional authentication factor (TOTP, SMS, push notification) on the real Microsoft page. MFA works exactly as expected. The problem is that the result — the token — goes to the attacker, not the user’s legitimate session.
4. Access is persistent and silent. With the refresh token, the attacker can operate for weeks or months without needing new credentials, without generating suspicious sign-in events from unknown locations, and without triggering the alerts designed to detect credential-based intrusions.

‍

How the attack works: the Device Code Flow trap

1. The attacker initiates the authorisation request. The EvilTokens operator sends a request to Microsoft’s API and obtains a real device code and user code — exactly as a legitimate Smart TV would when authenticating.
2. The lure reaches the victim. EvilTokens generates an email or message with a credible lure: a pending invoice for approval, a shared SharePoint document, a payroll notification, a security alert, a DocuSign or Adobe Acrobat Sign request. The message includes a landing page that may impersonate Adobe Acrobat, DocuSign or another trusted service, displaying the user code alongside a “Continue with Microsoft” button.
3. The victim completes MFA on real Microsoft. Clicking the button directs the victim to microsoft.com/devicelogin, where they enter the user code, sign in with their corporate credentials and complete their usual MFA — push notification, TOTP, or whatever they have configured. From their perspective, everything is exactly as normal. They have “verified their identity.”
4. Microsoft delivers the tokens to the attacker. The moment the victim completes the authorisation, Microsoft issues a valid access token and refresh token for the victim’s account — and delivers them to the session that requested them, which is the attacker’s.
5. Persistent access established. With the refresh token, the attacker has ongoing access to the victim’s Microsoft 365 account. They can read and send emails as the victim, access all their files on OneDrive and SharePoint, participate in Teams conversations, download the contacts directory and calendar. The token survives a password change.
6. Optional escalation. The attacker can register a new device in Microsoft Entra ID, obtain a Primary Refresh Token (PRT) and maintain silent, persistent access even against Conditional Access policies that do not account for this scenario.
7. Post-compromise: BEC and lateral movement. EvilTokens includes an integrated webmail interface allowing the operator to act directly from the compromised mailbox to prepare Business Email Compromise (BEC) attacks, intercept invoices, manipulate wire transfers or launch new phishing attacks from the victim’s legitimate account against their own contacts.

‍

Key lessons and mitigation checklist for IT managers and CISOs

Immediate mitigation — Block the Device Code Flow:

• In Microsoft Entra ID (Azure AD) → Security → Conditional Access: create a policy blocking authentication requests of type Device Code for all users who do not need to authenticate keyboardless devices (the vast majority of corporate users). This is the most effective mitigation available today.
• If the organisation uses IoT devices, printers or smart TVs requiring this flow, create a policy that restricts it exclusively to those managed, compliant devices.

Detection — Monitor Entra ID:

• In Entra ID → Monitoring → Sign-in logs: look for authentications using the Device code flow method from IPs or locations unusual for the organisation.
• Configure alerts in Microsoft Defender XDR or your SIEM for the events “Suspicious Azure authentication through possible device code phishing” and “User account compromise via OAuth device code phishing.”
• Review the active OAuth authorisation history in the tenant. Any authorised application that users do not recognise must be investigated and revoked.

Response to suspected compromise:

• A password change does NOT invalidate the refresh token. The only way to close access is explicit token revocation: in Entra ID → Users → [User] → Revoke sessions.
• Immediately audit the compromised user’s inbox rules for unauthorised forwarding to external accounts.
• Review recently registered devices in Entra ID associated with the compromised account.

Phishing-resistant MFA:

• TOTP solutions (Google Authenticator, Microsoft Authenticator in OTP mode) and SMS do not protect against Device Code Phishing — the victim completes them on the real Microsoft page. Only phishing-resistant MFA methods — FIDO2/passkeys, hardware-based certificates — fully prevent this attack.

Employee awareness:

• Train employees to recognise and reject any request to enter a verification code at microsoft.com/devicelogin that they did not actively initiate themselves. A user who understands that “if I did not initiate the device session, I should not enter any code” will not fall for this attack.

‍

Cybersecurity as a strategic priority

EvilTokens confirms the most important trend in identity attacks in 2026: attackers no longer break authentication — they redirect it. MFA remains a necessary and essential layer of defence against most threats, but it is no longer sufficient without accompanying controls over the OAuth authorisation flow, token lifetime limits and active monitoring of what happens after login.

For Spanish organisations, the message is direct: if your organisation uses Microsoft 365 — and the vast majority do — and you do not have a Conditional Access policy blocking the Device Code Flow for users who do not need it, the EvilTokens vector is open right now.

‍

Apolo Cybersecurity: identity and access protection in Microsoft 365 environments

At Apolo Cybersecurity we help organisations close the identity-based attack vectors that EvilTokens and similar techniques exploit: auditing and hardening of Conditional Access policies in Microsoft Entra ID, implementation of phishing-resistant MFA (FIDO2/passkeys), monitoring of OAuth flows and tokens in Microsoft 365 environments, detection of post-compromise activity in Exchange and SharePoint, and response plans that include the correct revocation of compromised tokens.

If your organisation uses Microsoft 365 and you have not checked whether the Device Code Flow is blocked in your Conditional Access, this Wednesday morning is the time to verify it.

‍