EvilTokens Phishing Service Bypasses MFA at 340+ Microsoft 365 Organizations

A phishing-as-a-service platform called EvilTokens has compromised more than 340 Microsoft 365 organizations across five countries since February 2026, exploiting OAuth consent flows to bypass multi-factor authentication entirely.

The attack works by abusing Microsoft’s legitimate device code authentication protocol. Victims receive convincing lures—construction bids, DocuSign requests, voicemail notifications—that lead to fake login pages. When they authenticate using their real Microsoft credentials and complete MFA on Microsoft’s actual servers, the attacker captures an OAuth token that grants persistent access to the victim’s account. Password resets don’t revoke these tokens. MFA provides zero protection.

The campaign launched on 17 February 2026 when a Telegram user named eviltokensadmin began selling three products: an Office 365 capture link for $1,500, a B2B email sender for $600, and an SMTP sender for $1,000, according to Sekoia. Affiliates pay the $500 monthly licence to access the phishing page code and backend API that orchestrates the device code authentication flow.

From State Craft to Commodity Service

Device code phishing originated as a Russian state-sponsored technique in mid-2024. By early 2026, Push Security detected a 37.5x increase in device code phishing pages compared to the prior year, with EvilTokens emerging as the dominant kit. The first EvilTokens compromises appeared on 19 February, followed by two more on 24 February. On 2 March, the campaign exploded in scale, hitting law firms, construction companies, healthcare providers, logistics firms, and local government offices.

What distinguished this wave from prior device code attacks was operational maturity. EvilTokens provides a turnkey phishing kit with AI-powered email generation, a built-in webmail interface for post-compromise operations, automated reconnaissance, and 24/7 support via Telegram. Huntress researchers noted the campaign’s unusual variety: construction bid lures, landing page code generation, DocuSign impersonation, voicemail notifications, and abuse of Microsoft Forms pages all hitting the same victim pool through Railway.com infrastructure.

Why MFA Fails Against Token Theft

Traditional phishing attempts to steal credentials and replay them against login endpoints. Device code phishing exploits a different vector: it steals the authentication result rather than the input. The victim completes legitimate authentication on Microsoft’s servers, including MFA challenges. The attacker never sees the password or the second factor. What they capture is the OAuth token Microsoft issues after successful authentication.

These tokens persist for weeks or months depending on tenant configuration, per The Hacker News. Password resets don’t invalidate them. Once an attacker obtains a Primary Refresh Token (PRT), they can authenticate silently to any Microsoft 365 application the token grants access to, moving laterally across services without triggering additional authentication prompts.

The attack chain begins when a victim clicks a phishing link and lands on a fake Microsoft login page. They enter credentials and complete MFA on what appears to be a standard Microsoft authentication flow. Behind the scenes, the EvilTokens backend initiates a device code authentication request to Microsoft’s OAuth endpoint. When the victim authenticates, Microsoft issues a valid token—not to the victim’s browser, but to the attacker’s device code session. The victim sees a successful login. The attacker receives persistent access.

Infrastructure and Scale

EvilTokens operators host phishing infrastructure on Railway.com, a platform-as-a-service provider rarely flagged by Enterprise Security tools. By 23 March, Sekoia had identified over 1,000 domains serving EvilTokens phishing pages. The campaign has hit organizations in the United States, Canada, France, Australia, India, Switzerland, and the United Arab Emirates.

Targeted sectors include finance, HR, logistics, sales, healthcare, legal services, and local government. The operator has built a support infrastructure that includes a 24/7 response team and feedback channels, treating the service as a commercial product rather than an underground tool. Cloud Security Alliance analysis noted that what began as a state-sponsored technique has fully commoditized into a subscription service accessible to operators with minimal technical skill.

What to Watch

Organizations cannot rely on MFA as a complete authentication defense. Mitigation requires conditional access policies that evaluate device trust, network location, and sign-in patterns before granting token access. Security teams should implement token lifetime restrictions, require reauthentication for sensitive actions, and monitor for unusual OAuth consent grants.

The EvilTokens operator has announced plans to extend support to Gmail and Okta, according to The Hacker News. As device code phishing spreads beyond Microsoft 365, enterprises using any OAuth-based authentication face the same vulnerability: legitimate authentication infrastructure being weaponized against organizations that assume MFA equals security.

Detection depends on identifying anomalous token issuance patterns—device code flows initiated from unexpected IP ranges, tokens issued for unfamiliar applications, or authentication sequences that bypass normal device registration workflows. Network egress monitoring for connections to Railway.com infrastructure may flag active compromises, though attackers will rotate hosting providers as blocks spread. The 37.5x surge in device code phishing pages suggests this technique will remain a primary attack vector throughout 2026, requiring fundamental changes to how enterprises think about authentication security.