EvilTokens kit sells for $1,500

EvilTokens is not a fake-login-page story. That is the part that makes it more dangerous. The kit abuses Microsoft’s real device code sign-in flow, so the victim logs in on an actual Microsoft page, completes MFA if prompted, and still hands the attacker the session they wanted. Researchers at Sekoia surfaced the kit in late March, Huntress tied active intrusions to it days earlier, and Microsoft followed in early April with a broader look at the same style of campaign. ### What is EvilTokens, exactly? Basically, it is phishing-as-a-service for Microsoft 365 account takeover. Sekoia says the operator has been selling it through Telegram bots and channels since mid-February 2026, with a private customer group, product updates, support, and separate tools for sending lures and deploying pages. The main item is the “Office 365 capture link,” which Sekoia identified as the device-code phishing kit itself. (blog.sekoia.io) It was listed at $1,500, alongside a $600 B2B sender and a $1,000 SMTP sender. ### What is device-code phishing? Microsoft’s device authorization flow exists for awkward devices — TVs, printers, IoT gear — that cannot do a normal browser login. The device shows a short code, the user enters that code on a Microsoft page from another device, and Microsoft returns tokens to the waiting app. EvilTokens flips that convenience feature into a trap. The attacker starts a legitimate device login, sends the victim the real code with a convincing lure, and the victim completes authentication for the attacker’s session. (blog.sekoia.io) ### Why does MFA not save you here? Because the victim is not bypassing Microsoft’s checks. The victim is satisfying them. That is the ugly trick. EvilTokens is after OAuth access and refresh tokens, not the password itself, so the attacker can get into Outlook, OneDrive, Teams, SharePoint, and other connected services without needing to crack or replay credentials. Sekoia also describes a nastier follow-on path — using the stolen refresh token to register a device and work toward a Primary Refresh Token for longer-lived access. (blog.sekoia.io) ### Why are researchers treating this as a step up? Scale and polish. Microsoft says this campaign used dynamic code generation to dodge the normal 15-minute device-code lifetime, plus short-lived backend infrastructure on Railway and AI-generated lure content tailored to job function. Sekoia says the kit can analyze stolen mailboxes, identify finance-related threads, and help draft business email compromise messages. So this is not just “get in.” It is “get in, find the money conversation, and keep going.” (helpnetsecurity.com) ### How widespread did it get? Huntress said in March it was tracking activity across more than 340 organizations in the US, Canada, Australia, New Zealand, and Germany, and later tied that activity to EvilTokens. BleepingComputer’s write-up of Sekoia’s work described global targeting too, with the US, Canada, France, Australia, India, Switzerland, and the UAE among the most affected countries. This is not one boutique intrusion set poking a few tenants. (microsoft.com) It is broad distribution. ### Why does the $1,500 price matter? Because it lowers the skill barrier without making the operator give up control. A buyer does not need to build token-handling logic, phishing pages, hosting, lure generation, or post-compromise workflow from scratch. They rent the playbook. That is how a niche tradecraft move turns into a repeatable product category. Sekoia’s view was blunt — EvilTokens looks positioned to become a serious competitor in phishing and BEC. (huntress.com) ### What should defenders take from this? The obvious lesson is that password-focused thinking is not enough. The more useful one is that real sign-in flows can still be malicious when the session is being granted to the wrong party. That shifts attention toward token monitoring, device-code flow restrictions, suspicious app and device registrations, inbox-rule creation, and unusual use of Microsoft Graph after a successful login. (blog.sekoia.io) Microsoft has already framed this campaign as a significant escalation from the narrower device-code operations seen in 2025. ### Bottom line? EvilTokens matters because it productized a real Microsoft login trick, wrapped it in AI and Telegram support, and sold it cheaply enough to spread fast. The password is no longer the center of the story. The session is. (microsoft.com)