{
  "name": "New widespread EvilTokens kit: device code phishing as-a-service",
  "slug": "new-widespread-eviltokens-kit-device-code-phishing-as-a-service",
  "description": "EvilTokens is a new Phishing-as-a-Service offering a turnkey Microsoft device code phishing kit. It enables attackers to harvest access and refresh tokens, granting unauthorized access to victims' Microsoft accounts. The kit supports post-compromise operations, allowing data exfiltration from various Microsoft services. EvilTokens has been rapidly adopted by cybercriminals since March 2026, impacting organizations globally. The service provides advanced capabilities for account takeover, including token conversion to Primary Refresh Tokens and browser cookies for persistent access. Phishing campaigns using EvilTokens target employees in finance, HR, logistics, and sales, primarily for Business Email Compromise attacks.",
  "published": "2026-03-31T14:14:29+00:00",
  "created_at": "2026-03-31T14:14:29+00:00",
  "modified_at": "2026-03-31T16:49:19+00:00",
  "created_at_opencti": "2026-03-31T14:14:29+00:00",
  "author": "",
  "confidence": null,
  "report_types": [],
  "labels": [],
  "tags": [
    "2026-03-31",
    "account takeover",
    "business email compromise",
    "device code phishing",
    "eviltokens",
    "microsoft 365",
    "oauth 2.0",
    "phishing-as-a-service",
    "token harvesting"
  ],
  "related_entities": {
    "attack_patterns": [
      {
        "id": "9f11a241-9abc-4c57-95dd-33955ab08826",
        "name": "T1078"
      },
      {
        "id": "7e3e3784-9547-42ca-b888-482972d14be3",
        "name": "T1528"
      },
      {
        "id": "c9de6d3f-08cf-448d-8b9f-9aeff59fc48f",
        "name": "T1550"
      },
      {
        "id": "5a32ed20-a829-486a-a501-df0874217745",
        "name": "T1537"
      },
      {
        "id": "d9b45b3b-d093-4016-89e9-48f31ff4d05d",
        "name": "T1566"
      },
      {
        "id": "6660b66c-3909-4927-a22f-c6d2b806b06a",
        "name": "T1530"
      },
      {
        "id": "5bab4974-1fc2-4144-b093-28ebcb8767dc",
        "name": "T1114"
      },
      {
        "id": "b7c6c1ad-f183-4128-8427-3891029c73dc",
        "name": "T1539"
      },
      {
        "id": "9ea66d8f-e2d8-4ff4-9475-71b2008fb4df",
        "name": "T1526"
      },
      {
        "id": "3245033a-53c4-454c-873a-fb653af0bf8a",
        "name": "T1552"
      }
    ],
    "others": [
      {
        "id": "",
        "name": "India"
      },
      {
        "id": "",
        "name": "British Indian Ocean Territory"
      },
      {
        "id": "",
        "name": "United Arab Emirates"
      },
      {
        "id": "",
        "name": "Australia"
      },
      {
        "id": "",
        "name": "Canada"
      },
      {
        "id": "",
        "name": "France"
      },
      {
        "id": "",
        "name": "Switzerland"
      },
      {
        "id": "",
        "name": "United States of America"
      },
      {
        "id": "",
        "name": "Finance"
      },
      {
        "id": "",
        "name": "Manufacturing"
      },
      {
        "id": "",
        "name": "Transportation"
      },
      {
        "id": "",
        "name": "Government"
      },
      {
        "id": "",
        "name": "pelangiservice.com"
      },
      {
        "id": "",
        "name": "yankeepine.co"
      },
      {
        "id": "",
        "name": "xlkconsulting.co.za"
      },
      {
        "id": "",
        "name": "authdocspro.com"
      },
      {
        "id": "",
        "name": "framebound.cloud"
      },
      {
        "id": "",
        "name": "smstltle.net"
      },
      {
        "id": "",
        "name": "thesafarigarden.com"
      },
      {
        "id": "",
        "name": "backdoor-hub.com"
      },
      {
        "id": "",
        "name": "totalhomesafe.com"
      },
      {
        "id": "",
        "name": "well.atlantaperlnatal.com"
      },
      {
        "id": "",
        "name": "promanager.outboundciwidey.com"
      },
      {
        "id": "",
        "name": "carbatterygurgaon.com"
      },
      {
        "id": "",
        "name": "suctwocesonesstory.com"
      },
      {
        "id": "",
        "name": "newmobilepolojean.com"
      },
      {
        "id": "",
        "name": "evobothub.org"
      },
      {
        "id": "",
        "name": "prcservis.com"
      },
      {
        "id": "",
        "name": "signaturerequired.thecoolcactus.com"
      },
      {
        "id": "",
        "name": "serenitygovsupplys.com"
      },
      {
        "id": "",
        "name": "mirzanyapi.com"
      },
      {
        "id": "",
        "name": "docusend.networkssolutionmail.com"
      },
      {
        "id": "",
        "name": "infinitechai.org"
      },
      {
        "id": "",
        "name": "careldutoit-el.co.za"
      },
      {
        "id": "",
        "name": "eqfit.co.za"
      },
      {
        "id": "",
        "name": "eventcalender-schedule.com"
      },
      {
        "id": "",
        "name": "internalmemorecord.bxwancheng.com"
      },
      {
        "id": "",
        "name": "bumpgames.net"
      },
      {
        "id": "",
        "name": "update.youcreadio.cfd"
      },
      {
        "id": "",
        "name": "macmamo.com"
      },
      {
        "id": "",
        "name": "mirsanotolastik.com"
      },
      {
        "id": "",
        "name": "statushelper.aguasomos.com"
      },
      {
        "id": "",
        "name": "topbuysella.com"
      },
      {
        "id": "",
        "name": "notificationsmanagersec.com"
      },
      {
        "id": "",
        "name": "youremplregroup.com"
      }
    ]
  },
  "external_refs": [
    "https://blog.sekoia.io/new-widespread-eviltokens-kit-device-code-phishing-as-a-service-part-1",
    "https://otx.alienvault.com/pulse/69cbf2e593a215d1c46c988a"
  ]
}