EvilTokens PhaaS Platform Leverages AI for Device Code Phishing Attacks

The EvilTokens platform represents a shift in the phishing landscape by offering phishing-as-a-service (PhaaS) on Telegram. This platform allows individuals with limited technical skills to conduct sophisticated device code phishing attacks. Sold for $1,500 plus a $500 maintenance fee, EvilTokens provides AI-generated lures, dynamic code generation, and post-compromise automation. The platform was used in a 16-day campaign starting on March 2, 2026, affecting 344 organizations across five countries. EvilTokens exploits a legitimate Microsoft authentication flow, making it difficult to detect with traditional security measures. The platform also leverages Railway, a legitimate Platform-as-a-Service (PaaS).

Attack Chain

1. Attacker purchases access to the EvilTokens PhaaS platform on Telegram for $1,500 + $500 maintenance.
2. Attacker uses EvilTokens to initiate a device code authentication process against a target service (e.g., Microsoft 365).
3. EvilTokens generates a personalized phishing email using AI, mimicking legitimate requests for construction bid proposals, DocuSign documents, or Microsoft Forms.
4. The phishing email is sent to the victim, containing a link to a legitimate Microsoft page prompting for a device code.
5. The victim clicks the link and enters the provided code, unwittingly authorizing the attacker’s session.
6. EvilTokens captures the valid session token through its backend infrastructure, relayed through Railway.
7. The attacker uses the captured session token to gain unauthorized access to the victim’s account.
8. After gaining access, EvilTokens can draft convincing wire fraud emails in the victim’s voice.

Impact

The EvilTokens campaign impacted 344 organizations across five countries in a 16-day period. Successful attacks result in unauthorized access to accounts, potentially leading to data theft, business email compromise, and financial fraud. The use of AI in generating personalized lures increases the likelihood of successful phishing attempts. Traditional email security solutions such as Cisco, Trend Micro, and Mimecast were unable to detect the attacks, as the emails and URLs appeared legitimate.

Recommendation

• Monitor Microsoft 365 login events for unusual activity, such as logins originating from Railway infrastructure IPs, to detect potential EvilTokens attacks.
• Implement user awareness training to educate employees about device code phishing and the risks of entering codes from unsolicited emails.
• Deploy the Sigma rule “Detect Device Code Phishing via Railway Infrastructure” to identify suspicious login activity associated with the Railway PaaS.
• Block access to known EvilTokens infrastructure, if any are identified, at the network level.
• Monitor for unusual authentication flows or patterns that deviate from typical user behavior, especially those involving device code authentication.