New EvilTokens Service Fuels Microsoft Device Code Phishing Campaign
AI-generated from multiple sources. Verify before acting on this reporting.
A newly identified service known as EvilTokens is driving a surge in phishing attacks targeting Microsoft device codes, security researchers reported Tuesday. The service, which facilitates the theft of authentication credentials, represents a significant evolution in cybercriminal tactics aimed at compromising corporate and personal accounts.
The operation, detected on April 1, 2026, utilizes a sophisticated infrastructure to intercept Microsoft device codes used during the authentication process. These codes are typically required when users sign in to Microsoft services on new devices or browsers. By capturing these codes, attackers can bypass standard security measures and gain unauthorized access to email, cloud storage, and enterprise systems.
EvilTokens operates by hosting phishing pages that mimic legitimate Microsoft login portals. When a victim enters their device code on the fraudulent site, the service captures the credentials and relays them to the attackers. This method allows cybercriminals to authenticate as the legitimate user without needing to steal passwords directly, effectively neutralizing multi-factor authentication protections.
The service has been linked to a broader campaign affecting organizations across multiple sectors. While the specific geographic origin of the operators remains unknown, the infrastructure appears to be distributed across various jurisdictions to evade detection. Security experts note that the sophistication of the phishing pages and the speed of credential harvesting indicate a well-resourced threat actor.
Microsoft has not yet issued a public statement regarding the specific EvilTokens service, though the company regularly advises users to remain vigilant against phishing attempts. The tech giant recommends that users verify the authenticity of login prompts and avoid entering device codes on unverified websites. Enterprise customers are encouraged to implement additional monitoring for suspicious authentication activities.
The emergence of EvilTokens highlights the ongoing challenge of securing authentication mechanisms against evolving threats. As attackers continue to refine their methods, the reliance on device codes for verification remains a critical vulnerability. Security firms are currently tracking the service's activity and working to disrupt its operations.
Questions remain regarding the full scope of the campaign and the number of compromised accounts. The identity of the group behind EvilTokens has not been disclosed, and no arrests or takedowns have been announced. As the investigation continues, organizations are urged to review their security protocols and educate employees on the risks of device code phishing.