EvilTokens: A phishing attack that doesn’t steal your password

https://web-assets.esetstatic.com/wls/2026/06-26/eviltokens-device-token-theft.jpg

A phishing kit subverting Microsoft’s legitimate authentication flow lets attackers break into accounts without stealing passwords or creating fake login pages

15 Jun 2026 • 5 min. read

Much has been written about how the days of phishing emails laden with broken grammar and crude design are numbered, largely thanks to AI. Meanwhile, EvilTokens offers a somewhat different example of how far the phishing craft has moved.

EvilTokens is a phishing-as-a-service (PhaaS) kit built to compromise Microsoft 365 accounts by abusing the OAuth 2.0 device authorization grant flow. As attacks that use the kit rely on device code phishing, they sidestep the need for convincing replicas of genuine login pages where the victims would hand over their passwords. Instead, attackers get the victim to complete a legitimate authentication process – including two-factor authentication (2FA) – on a real Microsoft login page.

The toolkit has been advertised via Telegram channels...

Copyright of this story solely belongs to welivesecurity.com. To see the full text click HERE

Read more