EvilTokens: new phishing service
A phishing‑as‑a‑service called EvilTokens has surfaced, specializing in device‑code phishing and session hijacking to target Microsoft 365 accounts — it lets low‑skill actors bypass passwords and capture sessions if users approve device prompts. Early reporting paints it as a turnkey way to convert phishing into persistent account takeover. ( )
Sekoia’s threat-research team says EvilTokens first appeared in criminal channels in mid‑February 2026 and was profiled for customers in a private FLINT report on March 25, 2026. (blog.sekoia.io)) Huntress and the Cloud Security Alliance report the related campaign reached more than 340 Microsoft 365 organizations across the United States, Canada, Australia, New Zealand and Germany by mid‑March 2026. (huntress.com)) Researchers traced large portions of the attack infrastructure to Railway’s PaaS and to Cloudflare Workers and linked multiple attack clusters to a handful of Railway IPs. (ebuildersecurity.com)) EvilTokens has been advertised and sold via Telegram channels and packages several automation features — Office 365 capture links, SMTP/B2B sending, open‑redirect lists and scripted operator “customer support.” (blog.sekoia.io)) Analysis from CSA and detection write‑ups note attackers harvest OAuth access and refresh tokens that can provide API‑level access and, in some cases, remain valid across password resets. (labs.cloudsecurityalliance.org)) Microsoft documentation and vendor playbooks point analysts to Entra sign‑in logs, OAuth consent records and Defender for Cloud Apps’ “investigate risky OAuth apps” flows as high‑fidelity detection sources. (learn.microsoft.com)) Huntress reported blocking 113 Railway‑linked attempts and flagged more than 100 impacted MSPs during March observability, while Microsoft said Defender telemetry flagged related OAuth activity and Entra ID responses included disabling malicious OAuth apps. (support.huntress.io))
