{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/microsoft-forms/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Microsoft 365","Microsoft Forms","Cisco email security","Trend Micro email security","Mimecast email security","Railway Platform-as-a-Service","DocuSign"],"_cs_severities":["high"],"_cs_tags":["phishing","device code phishing","AI","Telegram"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Cisco","Trend Micro","Mimecast","Railway","DocuSign"],"content_html":"\u003cp\u003eThe EvilTokens platform represents a shift in the phishing landscape by offering phishing-as-a-service (PhaaS) on Telegram. This platform allows individuals with limited technical skills to conduct sophisticated device code phishing attacks. Sold for $1,500 plus a $500 maintenance fee, EvilTokens provides AI-generated lures, dynamic code generation, and post-compromise automation. The platform was used in a 16-day campaign starting on March 2, 2026, affecting 344 organizations across five countries. EvilTokens exploits a legitimate Microsoft authentication flow, making it difficult to detect with traditional security measures. The platform also leverages Railway, a legitimate Platform-as-a-Service (PaaS).\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker purchases access to the EvilTokens PhaaS platform on Telegram for $1,500 + $500 maintenance.\u003c/li\u003e\n\u003cli\u003eAttacker uses EvilTokens to initiate a device code authentication process against a target service (e.g., Microsoft 365).\u003c/li\u003e\n\u003cli\u003eEvilTokens generates a personalized phishing email using AI, mimicking legitimate requests for construction bid proposals, DocuSign documents, or Microsoft Forms.\u003c/li\u003e\n\u003cli\u003eThe phishing email is sent to the victim, containing a link to a legitimate Microsoft page prompting for a device code.\u003c/li\u003e\n\u003cli\u003eThe victim clicks the link and enters the provided code, unwittingly authorizing the attacker\u0026rsquo;s session.\u003c/li\u003e\n\u003cli\u003eEvilTokens captures the valid session token through its backend infrastructure, relayed through Railway.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the captured session token to gain unauthorized access to the victim\u0026rsquo;s account.\u003c/li\u003e\n\u003cli\u003eAfter gaining access, EvilTokens can draft convincing wire fraud emails in the victim\u0026rsquo;s voice.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe EvilTokens campaign impacted 344 organizations across five countries in a 16-day period. Successful attacks result in unauthorized access to accounts, potentially leading to data theft, business email compromise, and financial fraud. The use of AI in generating personalized lures increases the likelihood of successful phishing attempts. Traditional email security solutions such as Cisco, Trend Micro, and Mimecast were unable to detect the attacks, as the emails and URLs appeared legitimate.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor Microsoft 365 login events for unusual activity, such as logins originating from Railway infrastructure IPs, to detect potential EvilTokens attacks.\u003c/li\u003e\n\u003cli\u003eImplement user awareness training to educate employees about device code phishing and the risks of entering codes from unsolicited emails.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect Device Code Phishing via Railway Infrastructure\u0026rdquo; to identify suspicious login activity associated with the Railway PaaS.\u003c/li\u003e\n\u003cli\u003eBlock access to known EvilTokens infrastructure, if any are identified, at the network level.\u003c/li\u003e\n\u003cli\u003eMonitor for unusual authentication flows or patterns that deviate from typical user behavior, especially those involving device code authentication.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-14T21:01:23Z","date_published":"2026-05-14T21:01:23Z","id":"https://feed.craftedsignal.io/briefs/2026-05-eviltokens-phishing/","summary":"The EvilTokens phishing-as-a-service (PhaaS) platform sold on Telegram is capable of launching device code phishing attacks at scale, leveraging AI to generate convincing and personalized lures, enabling aspiring cybercriminals to bypass traditional security measures, including MFA.","title":"EvilTokens PhaaS Platform Leverages AI for Device Code Phishing Attacks","url":"https://feed.craftedsignal.io/briefs/2026-05-eviltokens-phishing/"}],"language":"en","title":"CraftedSignal Threat Feed — Microsoft Forms","version":"https://jsonfeed.org/version/1.1"}