How EvilTokens Turbocharges Old School Phishing with AI

The report describes the EvilTokens phishing-as-a-service campaign that used device-code phishing to capture valid session tokens and bypass MFA, hitting 344 organizations across five countries over 16 days. Operators routed traffic via legitimate PaaS infrastructure (Railway), used AI to craft personalized lures and accelerate post-compromise fraud, and sold the platform on Telegram. Traditional email and MFA defenses were often ineffective because the authentication flow and tokens were legitimate; defenders mitigated the campaign by applying conditional access controls and blocking the infrastructure. The report outlines TTPs, the PhaaS ecosystem, and practical defenses including conditional access, token revocation, and adoption of phishing-resistant MFA (FIDO2/passkeys).