Listen to this Post
Introduction:
A new Phishing-as-a-Service (PhaaS) platform called EvilTokens is weaponizing stolen Microsoft 365 authentication tokens and large language models to automate Business Email Compromise (BEC) at an unprecedented scale. First observed on Telegram in mid‑February 2026, this turnkey operation combines device‑code phishing, AI‑generated spear‑phishing content, and stolen session tokens to bypass traditional MFA and trick even security‑aware users.
Learning Objectives:
- Understand how EvilTokens uses device‑code phishing and AiTM techniques to steal Microsoft 365 refresh tokens.
- Learn to detect token replay attacks and AI‑generated BEC emails using log analysis and behavioural indicators.
- Implement conditional access policies, token protection, and Cloudflare Workers hardening to mitigate PhaaS‑driven BEC.
You Should Know:
- Device‑Code Phishing – How EvilTokens Steals Tokens Without Passwords
EvilTokens automates device‑code phishing, a technique that abuses OAuth 2.0 device authorization flows. The attacker initiates a device‑code request to login.microsoftonline.com, obtains a user code and verification URI, then tricks the victim into entering that code on a legitimate Microsoft login page. Once the victim authenticates (including MFA), the attacker exchanges the device code for a refresh token and access token.
Step‑by‑step guide to simulate and detect device‑code abuse (for blue teams):
Linux/macOS (using cURL and jq):
Simulate device code request (authorized test tenant only) curl -X POST https://login.microsoftonline.com/common/oauth2/v2.0/devicecode \ -H "Content-Type: application/x-www-form-urlencoded" \ -d "client_id=YOUR_TEST_CLIENT_ID&scope=openid%20profile%20offline_access" Response contains user_code, device_code, verification_uri Attacker then sends user_code to victim via phishing email Poll for token (attacker side) curl -X POST https://login.microsoftonline.com/common/oauth2/v2.0/token \ -H "Content-Type: application/x-www-form-urlencoded" \ -d "grant_type=urn:ietf:params:oauth:grant-type:device_code&client_id=YOUR_TEST_CLIENT_ID&device_code=DEVICE_CODE_FROM_STEP1"
Detection (Azure AD Sign-in logs):
- Look for `Device code authentication` as the authentication requirement.
- Unusual `client app` names not recognized in your environment.
- PowerShell query:
Get-AzureADAuditSignInLogs -Filter "authenticationRequirement eq 'Device code authentication' and status errorCode eq 0" | Where-Object { $_.AppDisplayName -notin $KnownGoodApps }
Windows (Event Viewer):
- Event ID 1216 (AD FS) or 1203 (Device Authentication).
- Correlate with unexpected geographical locations.
- AI‑Supercharged BEC – From Stolen Tokens to Personalized Fraud
Once EvilTokens obtains a valid refresh token, it uses custom large language models to analyze the victim’s mailbox (via Microsoft Graph API, using the stolen token) and generate highly convincing BEC emails. The AI extracts email threads, signature blocks, and common phrases to impersonate executives or trusted partners.
Step‑by‑step guide to inspect suspicious Graph API calls:
Linux (inspect token scopes and claims):
Decode JWT access token (base64 payload) echo "YOUR_JWT_TOKEN" | cut -d"." -f2 | base64 -d 2>/dev/null | jq .scopes Look for Mail.Read, Mail.Send, Files.ReadWrite – abuse indicators
Windows (PowerShell – invoke Graph REST API to audit recent mail activity):
$Token = "YOUR_EXFILTRATED_TOKEN"
$Headers = @{Authorization = "Bearer $Token"}
Check recent email sends
Invoke-RestMethod -Uri "https://graph.microsoft.com/v1.0/me/mailFolders/sentitems/messages?`$top=10&`$orderby=receivedDateTime desc" -Headers $Headers
Mitigation commands (Exchange Online, Azure AD):
- Revoke all refresh tokens for a compromised user:
Revoke-AzureADUserAllRefreshToken -ObjectId "[email protected]"
- Block legacy protocols that bypass token binding:
Set-CASMailbox -Identity "[email protected]" -BlockLegacyAuth $true
- Cloudflare Workers as PhaaS Delivery – Blocking Malicious Workers
EvilTokens deploys phishing landing pages and token‑exfiltration endpoints to Cloudflare Workers, leveraging free tiers and ephemeral subdomains. Attackers automate worker creation via Telegram bots.
Step‑by‑step guide to identify and block malicious Cloudflare Workers:
Linux (enumerate worker subdomains via DNS and HTTP headers):
Check for workers.dev subdomains in your mail logs grep -E "https?://[a-z0-9-]+.workers.dev" /var/log/mail.log Curl suspicious worker and inspect headers curl -I https://suspicious-example.workers.dev/phish Look for "CF-Worker" or "cf-ray" headers
Windows (PowerShell – block via firewall or proxy):
Add workers.dev domain to Windows hosts file (block) Add-Content -Path "$env:windir\System32\drivers\etc\hosts" -Value "0.0.0.0 .workers.dev" Or use Edge/Chrome GPO to block the domain pattern
Cloudflare WAF rule (if you are a Cloudflare customer):
{
"action": "block",
"expression": "http.request.uri.path contains \"/token\" and http.host ends_with \".workers.dev\""
}
4. Token Binding and Conditional Access Hardening
Microsoft 365 token binding (Primary Refresh Token – PRT) binds tokens to the device. EvilTokens often fails when token binding is enforced, but many tenants have it disabled. Enable it via Intune and Conditional Access policies.
Step‑by‑step guide to enforce token protection:
Azure AD / Entra ID portal (web UI):
- Navigate to Protection > Conditional Access > Named locations.
2. Mark corporate networks as trusted.
3. Create a new CA policy:
- Users: All
- Cloud apps: Office 365
- Conditions: Any device (but require compliant device)
- Grant: Require device to be marked as compliant and Require Hybrid Azure AD joined device.
- Session: Use app enforced restrictions and Token protection (preview).
PowerShell (automate CA policy for token protection):
New-AzureADMSConditionalAccessPolicy -DisplayName "Block Token Replay" -State "enabled" `
-Conditions @{Applications=@{IncludeApplications="Office365"}} `
-GrantControls @{BuiltInControls="compliantDevice","domainJoinedDevice"; Operator="AND"}
- Hunting EvilTokens Infrastructure on Telegram and the Web
The operator “eviltokensadmin” uses Telegram for payments, affiliate management, and anti‑bot services. Blue teams can hunt for infrastructure by monitoring Telegram channels (osint) and analyzing domain registrations.
Step‑by‑step guide to extract IoCs from Telegram (legal OSINT only):
Linux (using Telethon Python library):
from telethon import TelegramClient
api_id = YOUR_API_ID
api_hash = 'YOUR_API_HASH'
client = TelegramClient('session', api_id, api_hash)
async for message in client.iter_messages('eviltokens_channel', limit=50):
if 'workers.dev' in message.text or 'login.microsoftonline.com' in message.text:
print(message.text)
Commands to extract URLs from logs:
grep -Eo '(http|https)://[^/"]+/token' /var/log/nginx/access.log | sort -u
Windows (Sysmon Event ID 22 – DNS query):
- Filter for `workers.dev` or `azurewebsites.net` domains.
Get-WinEvent -FilterHashtable @{LogName='Microsoft-Windows-Sysmon/Operational'; ID=22} | Where-Object { $_.Message -match "workers.dev" }
- Incident Response – Revoking Stolen Tokens and Resetting Sessions
When a stolen token is detected, immediate containment requires revoking all tokens, resetting user sessions, and rotating secrets.
Step‑by‑step IR commands:
Azure AD PowerShell:
Revoke all sessions and tokens for a user Revoke-AzureADUserAllRefreshToken -ObjectId "[email protected]" Invalidate all existing sessions (sign out everywhere) Get-AzureADUser -ObjectId "[email protected]" | Revoke-AzureADSignedInUserAllRefreshToken
Exchange Online (remove active mailbox rules created by attacker):
Connect-ExchangeOnline Get-InboxRule -Mailbox "[email protected]" | Where-Object {$_.Description -match "forward|delete"} | Remove-InboxRule -Confirm:$false
Linux (using `curl` to revoke token via Microsoft’s revocation endpoint):
curl -X POST https://login.microsoftonline.com/common/oauth2/v2.0/logout \ -d "refresh_token=STOLEN_REFRESH_TOKEN" \ -d "client_id=YOUR_APP_ID"
What Undercode Say:
- EvilTokens proves that token theft + AI lowers the barrier for BEC, making it accessible to low‑skill actors.
- Traditional MFA is useless against device‑code phishing; token binding and Conditional Access are the true safeguards.
- Blue teams must monitor for anomalous Graph API calls (Mail.Read, Mail.Send) and unexpected `workers.dev` domains.
- Affiliate‑style PhaaS models are rising – expect more Telegram‑driven platforms with anti‑bot and payment automation.
- Proactive token revocation and session hardening (Revoke-AzureADUserAllRefreshToken) should be part of every IR playbook.
- Cloudflare Workers are a dual‑use infrastructure; organizations should block `.workers.dev` unless explicitly needed.
- AI‑generated BEC emails can defeat language‑based filters; focus on behavioural indicators (login time, device, token reuse).
- Regular audits of Azure AD sign‑in logs for “Device code authentication” can catch early compromise attempts.
- Combining SIEM alerts for token replay with user‑agent anomalies (e.g.,
python-requests/2.x) improves detection. - The future of PhaaS will integrate real‑time AI personalization – defenders must adopt zero‑trust for tokens, not just passwords.
Prediction:
Within 12 months, PhaaS platforms like EvilTokens will incorporate real‑time LLM‑based conversation simulation, enabling attackers to engage in live email dialogues with victims. This will drive widespread adoption of token binding, continuous access evaluation (CAE), and mandatory device compliance policies across Microsoft 365 tenants. Simultaneously, we will see the rise of anti‑PhaaS services that proactively crawl Telegram and Cloudflare Workers to pre‑block malicious token‑exfiltration endpoints, turning the battle into an automated arms race between AI‑driven attackers and AI‑driven defenders.
▶️ Related Video (82% Match):
🎯Let’s Practice For Free:
IT/Security Reporter URL:
Reported By: Cybersecuritynews Gbhackers – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅
