#TDR analysts uncovered an emerging Phishing-as-a-Service (#PhaaS) platform called #EvilTokens, which offers device code phishing pages and AI-augmented features to automate and scale #BEC workflows.
⬇️
blog.sekoia.io/new-widespre...

New widespread EvilTokens kit: device code phishing as-a-service - Part 1 Uncover the new sophisticated EvilTokens device code phishing as-a-service, with AI-augmented features facilitating BEC fraud

In early March 2026, we uncovered #EvilTokens, a new #PhaaS offering device code phishing pages and AI-driven features to automate and scale BEC workflows.

Part 1 of our analysis provides a technical analysis of the EvilTokens kit ⬇️

blog.sekoia.io/new-widespre...

EvilTokens: New Device Code PhaaS

~Sekoia~
EvilTokens is a new PhaaS kit automating Microsoft device code phishing to bypass MFA and execute BEC attacks.
-
IOCs: authdocspro. com, backdoor-hub. com, bumpgames. net
-
#EvilTokens #PhaaS #Phishing #threatintel

Threat Actors Abuse Railway.com PaaS as Microsoft 365 Token Attack Infrastructure | Huntress Huntress linked a large-scale Microsoft 365 device-code phishing campaign to the EvilTokens Phishing-as-a-Service ecosystem and Railway.com PaaS infrastructure, which provided token-harvesting backends and scalable phishing tooling. The campaign used multi-hop redirect chains and trusted third-party services (including Cloudflare workers and email-security URL rewriters) to evade filters, prompting Huntress to block Railway IP ranges and push Conditional Access mitigations. #EvilTokens #Railway

Huntress links large Microsoft 365 device-code phishing campaign to EvilTokens PhaaS using Railway.com PaaS for token harvesting and scalable phishing. Multi-hop redirects and trusted services helped evade filters. #EvilTokens #PhishingTools #USA