Signal

EvilTokens phishing kit exploits Microsoft device code flow for global account takeovers

Evidence first: scan the strongest sources, then decide whether to go deeper.

Published 2026-04-01 19:42 UTCUpdated 2026-04-02 23:00 UTC

rss

phishingmalwarethreat_actorsincident_responsesecurity_tooling

Source links open

Source links and full evidence are open here. Archive history, compare-over-time, alerts, exports, API, integrations, and workflow are paid.

Back Evidence (2)Get the free brief by email Start free trial

No card needed for the free brief.

Evidence trail (top sources)

top sources (2 domains)

2 top sources shown

Global Microsoft device code phishing facilitated by novel EvilTokens kit

SC Media · News · scworld.com · 2026-04-02 23:00 UTC

EvilTokens abuses Microsoft device code flow for account takeovers

CSO Online · News · csoonline.com · 2026-04-02 12:36 UTC

limited source diversity in top sources

View all evidence

Overview

A new phishing-as-a-service campaign named EvilTokens abuses Microsoft's device code authentication flow to hijack user accounts worldwide.

Entities

MicrosoftEvilTokens

Score total

0.86

Momentum 24h

Posts

Origins

Source types

Duplicate ratio

Why now

The campaign has been active since at least mid-February 2026, showing persistence and evolution.
Use of AI automation and Telegram bots indicates a scalable and rapidly updating threat.
Recent reports highlight expanding geographic impact and growing affiliate capabilities.

Why it matters

EvilTokens exploits a legitimate Microsoft authentication flow, making detection harder.
The phishing-as-a-service model lowers the barrier for attackers to conduct sophisticated account takeovers.
Global targeting increases risk to organizations across multiple sectors and regions.

LLM analysis

Topic mix: lowPromo risk: lowSource quality: medium

Recurring claims

EvilTokens abuses Microsoft’s device code authentication flow to hijack user accounts.
The phishing campaign has affected organizations worldwide, including the US, Canada, France, Australia, India, Switzerland, and the UAE.
EvilTokens offers AI-powered modules for access weaponization, email harvesting, reconnaissance, and a webmail interface.

How sources frame it

Sekoia Researchers: neutral

This emerging phishing campaign leverages a less common Microsoft authentication flow, complicating detection and mitigation efforts.

All evidence

Global Microsoft device code phishing facilitated by novel EvilTokens kit

SC Media · scworld.com · 2026-04-02 23:00 UTC

EvilTokens abuses Microsoft device code flow for account takeovers

CSO Online · csoonline.com · 2026-04-02 12:36 UTC

Show filters & breakdown

Posts loaded: 0Publishers: 2Origin domains: 2Duplicates: -

Platform

Publisher

Origin domain

Relevance tier

Duplicates only

Showing 2 / 0

Top publishers (this list)

SC Media (1)
CSO Online (1)

Top origin domains (this list)

scworld.com (1)
csoonline.com (1)