A phishing kit called EvilTokens is breaking into Microsoft 365 accounts without stealing a single password or showing a fake login page. Instead, it tricks employees into approving the attacker's own sign-in on the genuine Microsoft website. Researchers at ESET, building on earlier work by Sekoia and others, broke down how the kit works and why the old advice to "check the link for typos" no longer protects anyone.
EvilTokens is sold as phishing-as-a-service and abuses a legitimate Microsoft feature: the OAuth 2.0 device authorization grant, better known as the device code flow. That feature exists for gadgets that are awkward to type on, such as smart TVs and printers, which display a short code that you then enter at the real microsoft.com/devicelogin page on your phone or laptop. The trap is that the code the victim is shown actually belongs to the attacker's session. When the victim enters it and completes the normal login, including two-factor authentication, on Microsoft's own page, Microsoft hands the resulting access and refresh tokens to the attacker's device.
Why it is so dangerous
There is no fake page to spot and no password to phish, so the warning signs people have been trained to look for simply are not there. Two-factor authentication does not save the day either, because the victim approves the wrong session themselves rather than the attacker defeating 2FA with any technical trick. The kit has been advertised on Telegram and used in account takeover and business email compromise since at least February 2026, including one March 2026 campaign that targeted more than 340 organizations across several countries. Microsoft has also described an AI-assisted version that generates device codes on the fly and tailors its lures, with reconnaissance to confirm an account is active often running 10 to 15 days before the actual attempt. Lures typically pose as an invoice, a shared document, a calendar invite, or a SharePoint access request, and the attackers favor finance, HR, logistics, and sales mailboxes that are useful for fraud. The same Microsoft device code feature was also abused in a Russian state-linked watering hole campaign.
What you should do
Treat any unexpected request to enter an authentication code as suspect: no document, invoice, or message should need one without a clear reason. Before approving a sign-in, check which app is asking, which account is involved, and whether you actually started the action, because a real Microsoft page does not make a request safe. Organizations should use Conditional Access policies to block the device code flow wherever it is not needed and scope it to specific users, devices, or locations, and should watch for unusual device-code sign-ins, unfamiliar devices, and new inbox rules. If an account is hit, review sign-in logs, revoke active sessions, invalidate refresh tokens, remove any malicious inbox rules, and temporarily disable the account. ESET's full write-up has more detection and response guidance.
This briefing is provided by IntelFusions for informational and defensive purposes only. It is based on sources assessed to be reliable at the time of writing, and analytic judgments carry the confidence levels indicated. Indicators of compromise are defanged; re-arm them only in controlled environments. IntelFusions is not affiliated with the organizations named and makes no warranty as to completeness or accuracy.