EvilTokens Phishing: AI-Driven Attacks Bypass Microsoft MFA

The cybersecurity landscape has undergone a tectonic shift in the first half of 2026, marked by the emergence of a new breed of Phishing-as-a-Service (PhaaS) that renders traditional Multi-Factor Authentication (MFA) nearly obsolete. At the center of this storm is EvilTokens phishing, a sophisticated toolkit that has moved beyond the “Adversary-in-the-Middle” (AiTM) tactics of 2025 to exploit the fundamental trust inherent in Microsoft’s OAuth 2.0 device code flow. Unlike previous campaigns that relied on cloning login pages, EvilTokens weaponizes legitimate Microsoft infrastructure, making it nearly indistinguishable from valid corporate workflows.

First identified in early 2026 by researchers at Sekoia and Huntress, the EvilTokens phishing operation has rapidly scaled, impacting hundreds of organizations across the globe. By combining generative AI, serverless automation platforms like Railway.com, and a deep understanding of Microsoft’s authentication protocols, the threat actors behind this kit have created an automated “BEC engine” that can compromise an account and begin financial data exfiltration within minutes of a successful login.

The Mechanics of Deception: Exploiting the Device Code Flow

To understand why EvilTokens phishing is so effective, one must first understand the “Device Authorization Grant” in OAuth 2.0. This flow was originally designed by Microsoft to facilitate logins on input-constrained devices—think smart TVs, printers, or IoT hardware—that cannot easily display a rich browser login page. In a legitimate scenario, the device displays a short alphanumeric code and instructs the user to visit microsoft.com/devicelogin on their laptop or phone to enter that code and authorize the device.

The EvilTokens phishing toolkit subverts this process in a series of highly automated steps:

• The Initiation: The attacker’s backend server initiates a legitimate device code request to Microsoft’s Entra ID (formerly Azure AD) API. Microsoft responds with a valid “User Code” (e.g., G6H4-J2K8) and a “Device Code” (the secret used by the backend to poll for the token).
• The Lure: Using AI-generated templates, the attacker sends a document (PDF, DOCX, or SVG) or a QR code to the victim. The lure often mimics high-urgency business tasks such as “Shared RFP Document,” “Payroll Update,” or “Invoice Verification.”
• The Authorization: The victim is directed to the legitimate Microsoft login page. Because the victim is interacting with the real microsoft.com domain, there are no “look-alike” URLs or suspicious certificates to trigger browser warnings.
• The Token Capture: Once the victim enters the code and completes their standard MFA prompt (whether it’s a push notification, SMS, or FIDO2 key), they are essentially authorizing the *attacker’s* device. The attacker’s backend, which has been polling the Microsoft API, instantly receives a valid Access Token and Refresh Token.

This methodology represents a significant evolution because the authentication happens entirely within a trusted environment. The victim “checks the box” for MFA, but they are inadvertently checking it for the adversary.

The AI Edge: Hyper-Personalization and Real-Time Lures

The defining characteristic of the EvilTokens phishing surge in 2026 is its heavy reliance on Large Language Models (LLMs). This is not merely about fixing grammar in a phishing email; the toolkit uses AI to create a dynamic, role-based attack surface.

Dynamic Code Generation and the 15-Minute Window

Standard Microsoft device codes have a hard expiration limit of 15 minutes. In older campaigns, this was a bottleneck; if a victim didn’t click the link immediately, the code would expire, and the attack would fail. EvilTokens phishing solves this through “Just-in-Time” code generation. The toolkit uses the Railway.com automation platform to monitor when a victim clicks a phishing link. Only at the moment of the click does the backend spin up a new node, request a fresh code from Microsoft, and display it on the landing page. This ensures the lure is always “fresh” and significantly increases the conversion rate of the campaign.

Role-Specific Phishing Payloads

Through integration with LLMs, EvilTokens can ingest publicly available data about a target (from LinkedIn or corporate directories) to tailor the lure. An HR manager might receive a “2026 Benefits Adjustment” document, while a Finance Director is presented with a “Wire Transfer Reconciliation” alert. These lures are not static; they are generated on-the-fly, making it impossible for traditional email security gateways to rely on static hash signatures for detection.

Technical Infrastructure: The Railway.com and Cloudflare Nexus

The EvilTokens phishing operation utilizes a “multi-hop” redirect architecture to stay ahead of automated URL scanners. Threat actors have been observed leveraging high-reputation serverless platforms to host their redirect logic, blending malicious traffic into the background noise of legitimate enterprise cloud activity.

1. Initial Redirects: The link in the email often points to a compromised legitimate domain or a Cloudflare Worker (*.workers.dev).
2. The Backend Engine: The core of the operation resides on Railway.com, a developer-friendly PaaS provider. Railway allows attackers to spin up thousands of ephemeral backend nodes. These nodes handle the polling of Microsoft’s OAuth endpoints and the storage of captured tokens.
3. Synthetic User Agents: To evade Microsoft’s risk-based conditional access, the toolkit uses sophisticated user-agent strings. Researchers have noted a preference for mimicking modern Windows 11 builds and specific mobile Safari versions, though some “slips” have been identified, such as synthetic iPhone agents claiming to run non-existent Safari versions (e.g., Safari 26.3).

By using Railway.com, attackers gain access to “clean” IP addresses that are not yet flagged as malicious by most threat intelligence feeds. This allows them to bypass reputation-based blocking that typically stops older PhaaS platforms like EvilProxy.

Post-Compromise: “Inbox Enrichment” and the BEC Heist

The goal of EvilTokens phishing is rarely just access; it is monetization. Once a token is captured, the toolkit transitions into an automated data-mining phase known as “inbox enrichment.” The EvilTokens dashboard provides affiliates with a custom webmail client—internally referred to in some circles as “MailVault”—that clones the Outlook interface but adds a layer of AI intelligence.

Automated Financial Reconnaissance

The toolkit uses AI to scan the victim’s inbox for high-value conversations. It specifically targets keywords like “invoice,” “payment,” “wire transfer,” and “bank details.” The AI doesn’t just find these emails; it summarizes the context of the thread, allowing the attacker to jump into a conversation with a perfectly timed, AI-generated reply that mimics the victim’s writing style. This “Business Email Compromise (BEC) 3.0” is remarkably difficult to detect because the reply comes from the legitimate account and maintains the correct historical context.

The Pursuit of the Primary Refresh Token (PRT)

Perhaps the most dangerous technical capability of EvilTokens phishing is its ability to establish long-term persistence. Attackers leverage the harvested refresh tokens to register a “rogue” device in the organization’s Entra ID. Once a device is registered, the attacker can request a Primary Refresh Token (PRT). A PRT is the “holy grail” of Microsoft authentication; it allows for continuous, silent sign-ins across all Microsoft 365 services without ever prompting the user for MFA again. Even if the victim changes their password, the PRT may remain valid, providing the attacker with persistent access for up to 90 days or longer.

Why Traditional MFA Fails Against EvilTokens

The surge in EvilTokens phishing highlights a critical flaw in current “non-phishing-resistant” MFA implementations. SMS-based codes and mobile app push notifications (like Microsoft Authenticator) are designed to verify the user’s identity, but they do not verify the context of the authentication request. When a user approves a push notification or enters a code, they are essentially saying, “Yes, I am logging in.” They have no way of knowing that they are approving a login for a device controlled by a threat actor on the other side of the world.

Because the login occurs on the real microsoft.com/devicelogin page, there is no “man-in-the-middle” to inspect. The user is doing exactly what they have been trained to do: log into the official Microsoft website. This psychological exploit, combined with the technical abuse of the device flow, creates a perfect storm that circumvents nearly all legacy security controls.

Mitigation and Defensive Strategies for 2026

Organizations must move beyond basic MFA and adopt a “Zero Trust” posture regarding OAuth flows. To defend against EvilTokens phishing, security teams should implement the following technical controls:

• Restrict Device Code Flow: The most effective defense is to disable the OAuth 2.0 device code flow entirely if it is not business-critical. Microsoft allows administrators to block this flow via Conditional Access policies. If it is required for certain hardware (like conference room TVs), it should be restricted to specific, known user groups and trusted IP ranges.
• Transition to Phishing-Resistant MFA: Deploying FIDO2-compliant security keys or Windows Hello for Business is the only way to fundamentally stop this attack. These methods use “origin binding,” meaning the authentication will fail if the request did not originate from the same device and domain the user is interacting with.
• Monitor for Anomalous Sign-ins: SecOps teams should hunt for sign-in logs originating from known serverless IP blocks (like Railway.com, Vercel, or AWS Lambda). Any authentication via the `DeviceCode` flow that does not correspond to a known IoT device should be treated as a high-fidelity indicator of compromise.
• Audit Entra ID Device Registrations: Regularly review newly registered devices in the tenant. The EvilTokens phishing workflow often involves registering a new “rogue” device to secure a PRT. Any unexpected device registration followed by a surge in Graph API activity is a red flag.

Conclusion: The Future of AI-Driven Cybercrime

The EvilTokens phishing campaign is a harbinger of things to come. By moving the “phishing” element to the very end of the authentication chain and using AI to handle the nuances of social engineering and data exfiltration, threat actors have found a way to scale sophisticated attacks that once required nation-state-level expertise. For the modern enterprise, the message is clear: the days of relying on “good enough” MFA are over. Security in 2026 requires a deep technical understanding of the protocols we use every day and a proactive approach to closing the loopholes that tools like EvilTokens so ruthlessly exploit.