Microsoft 365 EvilToken Campaign Targets Hundreds Daily

The era of the password-stealing phishing kit is dead. We have entered the age of token abuse, where attackers no longer try to break the lock—they simply trick the owner into handing over the keys through legitimate authentication flows. The EvilToken campaign is the definitive proof of this shift, weaponizing Microsoft’s own device code flow to render traditional MFA irrelevant.

The Tech TL. DR:

• The Vector: Abuses Microsoft 365 device code authentication to generate OAuth tokens, bypassing passwords and MFA entirely.
• The Scale: Powered by a Phishing-as-a-Service (PhaaS) model using AI for hyper-personalized lures and Railway.com PaaS for token replay.
• The Threat: Attributed to a mix of PhaaS operators and Forest Blizzard (Russian military-linked), utilizing SOHO router compromises for DNS hijacking.

For the uninitiated, the device code flow is designed for devices with limited input capabilities (like smart TVs). The user enters a code on a separate device to authenticate. EvilToken turns this convenience into a critical vulnerability. By tricking a high-value target—typically in finance or executive roles—into completing this flow, the attacker secures a valid OAuth token. Once that token is in hand, the adversary operates via Microsoft Graph, making their activity appear as legitimate, trusted traffic in the logs.

Architectural Post-Mortem: The EvilToken Attack Chain

This isn’t a script-kiddie operation; it is a sophisticated, AI-driven pipeline. According to researchers at AppOmni, the campaign leverages Generative AI to craft hyper-personalized messages, such as fake RFPs or invoices, tailored specifically to the victim’s professional role. This precision increases the success rate of the initial lure, moving the attack from a “spray and pray” model to a surgical strike.

“Microsoft’s disclosure of the EvilToken campaign highlights how threat actors are using device code phishing and OAuth tokens to gain direct access to Microsoft 365 (M365) environments without stealing passwords or triggering typical security controls.” — Bill Legue, Lead Threat Hunter, AppOmni.

The infrastructure supporting this is equally modular. Huntress has attributed the campaign to the EvilTokens PhaaS platform, which first surfaced on Telegram in February 2026. The platform offers a tiered product suite: a “B2B Sender,” an “Office 365 Capture Link,” and an “SMTP Sender.” These tools are integrated with AI workflows designed to bypass email filtering and identify sensitive emails for subsequent wire fraud or data exfiltration. The employ of Railway.com as a clean token replay engine allows attackers to maintain a low profile, rotating infrastructure to avoid signature-based detection.

Adding a layer of geopolitical complexity, Microsoft has linked related activity to Forest Blizzard, a threat actor associated with the Russian military. Forest Blizzard targets insecure SOHO (small office/home office) routers, modifying settings to facilitate DNS hijacking and adversary-in-the-middle (AiTM) attacks. This creates a malicious infrastructure that can intercept traffic before it even reaches the target’s intended destination, providing a stealthy entry point for the EvilToken payloads.

The Implementation Mandate: Detecting Token Abuse

Since the attack bypasses MFA, security teams cannot rely on login alerts. Detection must shift to the post-authentication phase, specifically monitoring for anomalous OAuth application grants and unusual Microsoft Graph API calls. If you suspect a compromise, you need to audit the service principals and permissions granted to external applications.

To investigate potentially malicious app registrations or token usage via the Microsoft Graph API, developers and security engineers can use the following cURL request to list recently added OAuth applications and their permissions:

curl -X GET "https://graph.microsoft.com/v1.0/servicePrincipals?$filter=appId eq '{suspicious-app-id}'"  -H "Authorization: Bearer {your-admin-token}"  -H "Content-Type: application/json"

Analyzing the appRoleAssignments and oauth2PermissionGrants is critical. Any application granting Mail.Read or Files.ReadWrite.All without a documented business case is a red flag. For a deeper dive into the protocol being abused, engineers should reference the RFC 8628 (OAuth 2.0 Device Authorization Grant) to understand the specific handshake vulnerabilities.

IT Triage: Mitigating the Blast Radius

The scale of this campaign—impacting over 268 M365 organizations and 100+ MSPs according to Huntress—demonstrates that standard security configurations are insufficient. The “blast radius” of a single compromised executive token can encompass the entire corporate directory, as attackers use the Graph API to scrape sensitive data without triggering traditional brute-force alarms.

Enterprise IT departments cannot wait for a native Microsoft patch to solve a behavioral exploit. Organizations are urgently deploying vetted cybersecurity auditors and penetration testers to conduct identity audits and tighten conditional access policies. The priority is moving toward a “Zero Trust” architecture where token lifetimes are minimized and high-risk permissions are strictly gated.

the reliance on SOHO routers as a launchpad for Forest Blizzard’s operations highlights a massive blind spot in the remote-work era. This vulnerability makes it imperative for companies to provide managed hardware or mandate the use of secure VPNs, often coordinated through specialized Managed Service Providers (MSPs) who can monitor endpoint health and DNS integrity across a distributed workforce.

The Trajectory of Phishing-as-a-Service

EvilToken is a harbinger of the “industrialization” of identity theft. By decoupling the attack from the password and automating the lure via AI, threat actors have reduced the cost of entry even as increasing the success rate. We are moving toward a landscape where the primary attack surface is no longer the user’s password, but the trust relationship between the identity provider and the application.

Looking ahead, the battle will shift toward behavioral analytics and continuous access evaluation. If your security stack still treats a “successful MFA login” as a permanent green light for the session, you are already vulnerable. The only way forward is a rigorous audit of all OAuth grants and a ruthless pruning of third-party app permissions. If you haven’t audited your Graph API permissions in the last 30 days, you are essentially leaving the back door unlocked for the next PhaaS iteration.