logo

EvilTokens device-code phishing kit totally more evil than we all thought

ID: ac02ad61-8900-5ad5-a714-4c719754784e

STIX ID: report--ac02ad61-8900-5ad5-a714-4c719754784e

Feed Name: The Register (Security)

Threat Score
75/100

Date Published: 2026-07-01

Date Updated: 2026-07-02

...
...

The report details the EvilTokens device-code phishing kit and an associated ARToken phishing-as-a-service operation that bypasses Microsoft 365 MFA to silently authenticate as victims; attackers use targeted invoice lures, legitimate-looking SharePoint hosts, and sophisticated evasion. Cisco Talos found evidence of large-scale campaigns (multiple daily waves), infrastructure and API sharing with EvilTokens, and a mature post-exploitation/BEC toolkit that offers Outlook read/send access, inbox rules, token management, and persistence mechanisms.

Your team is not currently subscribed to this feed. You must subscribe to it in order to see this post.