Blog.Talosintelligence
EvilTokens Phishing Kit Exploits Microsoft 365 with AI-Driven BEC Tactics
Ask AI about this cluster
Analyzing cluster data...
Referenced clusters:
Something went wrong. Please try again.
Cluster AI
Ask questions about this threat cluster with AI-powered analysis.
Get Researcher $29.99/moArticle Content
In March 2026, the EvilTokens phishing kit emerged as a significant threat, allowing cybercriminals to bypass multi-factor authentication (MFA) and compromise Microsoft 365 accounts. This Phishing-as-a-Service (PhaaS) platform utilizes Microsoft's OAuth 2.0 Device Authorization Grant to capture victim tokens, enabling Business Email Compromise (BEC) attacks. The platform has rapidly gained traction, with Microsoft reporting hundreds of organizations compromised daily. Cisco Talos identified an affiliate panel named ARToken, which enhances EvilTokens' capabilities by incorporating AI for personalized lures and automated post-compromise actions. The phishing campaigns have increased by 1,380% compared to the previous year, with targeted emails leveraging real vendor relationships to deceive victims. The attack method involves sending emails that appear legitimate but redirect to attacker-controlled Microsoft 365 workspaces. Current assessments indicate that EvilTokens and its affiliates are continuously evolving their tactics, posing a serious threat to organizations using Microsoft 365.
Key Points: • EvilTokens allows bypassing MFA to compromise Microsoft 365 accounts. • The platform has seen a 1,380% increase in phishing attacks in 2026. • ARToken enhances EvilTokens with AI-driven BEC capabilities and targeted lures.