EvilTokens Phishing Kit Exploits Microsoft 365 with AI-Driven BEC Tactics

EvilTokens Phishing Kit Exploits Microsoft 365 with AI-Driven BEC Tactics

First seen 1 Jul 2026, 10:45 UTC CyberscoopBlog.TalosintelligenceTheregisterwww.sekoia.comFeeds.Feedburner+1 85% similarity 71.0
Share:

Article Content

Browse articles
ThreatCluster

In March 2026, the EvilTokens phishing kit emerged as a significant threat, allowing cybercriminals to bypass multi-factor authentication (MFA) and compromise Microsoft 365 accounts. This Phishing-as-a-Service (PhaaS) platform utilizes Microsoft's OAuth 2.0 Device Authorization Grant to capture victim tokens, enabling Business Email Compromise (BEC) attacks. The platform has rapidly gained traction, with Microsoft reporting hundreds of organizations compromised daily. Cisco Talos identified an affiliate panel named ARToken, which enhances EvilTokens' capabilities by incorporating AI for personalized lures and automated post-compromise actions. The phishing campaigns have increased by 1,380% compared to the previous year, with targeted emails leveraging real vendor relationships to deceive victims. The attack method involves sending emails that appear legitimate but redirect to attacker-controlled Microsoft 365 workspaces. Current assessments indicate that EvilTokens and its affiliates are continuously evolving their tactics, posing a serious threat to organizations using Microsoft 365.

Key Points: • EvilTokens allows bypassing MFA to compromise Microsoft 365 accounts. • The platform has seen a 1,380% increase in phishing attacks in 2026. • ARToken enhances EvilTokens with AI-driven BEC capabilities and targeted lures.

ThreatCluster AI

Timeline

2026-03-25
EvilTokens first reported
Sekoia published findings on EvilTokens, detailing its phishing capabilities targeting Microsoft 365.
Sekoia
2026-04
Microsoft confirms campaign scale
Microsoft reported that EvilTokens was compromising hundreds of organizations daily, with increased attack success rates.
The Register
2026-04-20
Talos identifies ARToken panel
Cisco Talos discovered the ARToken panel, linked to EvilTokens, enhancing phishing operations with AI.
Talos Intelligence
2026-07-01
EvilTokens attacks escalate
Cisco Talos reported a dramatic increase in EvilTokens phishing attacks, indicating a more sophisticated operational model.
Cyberscoop

Community

Browse all →