Back

EvilTokens Phishing Campaign Utilizes AI and Cloud Infrastructure

Severity: High (Score: 66.5)

Sources: Tipranks

Summary

In February 2026, Huntress reported a large-scale phishing campaign named EvilTokens that exploited AI-generated lures and legitimate Microsoft authentication flows. The attackers reportedly used cloud infrastructure from AWS and Cloudflare to harvest access tokens at scale. This operation highlights the increasing sophistication of phishing techniques, leveraging role-specific lures to target users effectively. Huntress is hosting a live event on May 5, 2026, featuring a Microsoft Threat Intelligence representative to discuss the incident and potential defensive measures. The collaboration with Microsoft indicates Huntress's strategy to enhance its brand as a leader in detecting advanced cyber threats. The incident may lead to increased demand for managed detection and response services as organizations seek to bolster their defenses against such sophisticated attacks. The focus on education and incident analysis could also improve relationships with enterprise security teams. Key Points: • The EvilTokens campaign utilized AI-generated phishing lures and cloud infrastructure. • Attackers exploited legitimate Microsoft authentication flows to harvest access tokens. • A live event on May 5 will discuss the incident and defensive strategies.

Key Entities

  • Phishing (attack_type)
  • EvilTokens (tool)
  • T1566 - Phishing (mitre_attack)
  • AWS (company)
  • Cloudflare (company)
  • Railway (platform)
Loading threat details...

Threat Not Found

The threat cluster you're looking for doesn't exist or has been removed.

Return to Feed