New widespread EvilTokens kit: device code phishing as-a-service – Part 1

EvilTokens is a newly identified Phishing-as-a-Service (PhaaS) offering turnkey Microsoft device code phishing kits and a feature-rich backend that automates token harvesting, PRT conversion, browser SSO cookie generation, reconnaissance (Graph/Azure), and post-compromise persistence; the kit was rapidly adopted in early March 2026 with over 1,000 domains observed, multiple phishing templates and delivery vectors, and includes IoCs and a YARA rule for detection.