• EvilTokens is a productized phishing-as-a-service (PhaaS) platform that combines Microsoft 365 credential theft with a custom BEC webmail client, sold to operators via Telegram.

• The platform exploits Microsoft’s Device Code authentication flow to capture OAuth tokens after the target completes legitimate MFA.

• Post-compromise capabilities include an Outlook-clone BEC webmail client branded “MailVault,” with AI-powered email summarization using Meta’s LLaMA model, keyword alerting via Telegram, and send-as-target functionality.

• The platform operates as a multi-tenant SaaS—each customer receives an isolated environment, unique credentials, and their own pool of compromised accounts.

A growing number of phishing-as-a-service platforms are moving beyond simple credential theft to offer full-scale operational toolkits. EvilTokens is one of the most complete examples yet—a platform that exploits Microsoft's Device Code authentication flow to steal OAuth tokens, then pairs that access with AI-powered email intelligence to automate business email compromise from start to finish.

Here's what makes it dangerous and how the attack chain works.

EvilTokens uses a multi-stage attack chain designed to evade detection at every step.

Initial Access

Phishing emails are sent from compromised legitimate accounts—real Google Workspace or M365 mailboxes. Because the sending account is real, emails arrive with SPF PASS, DKIM PASS, and DMARC PASS. Lures impersonate payment confirmations, DocuSign requests, and Adobe document shares.

Bot Filtering & Gate Page

Links point to compromised legitimate websites—academic institutions, government sites—where a PHP bot filter validates JavaScript execution before redirecting to an email harvester gate page. Sandboxes and crawlers without JavaScript are trapped in a meta refresh loop, never reaching the payload.

The gate page (versioned v2.4.0, branded “Identity Verification”) collects the target’s email and passes it to a Cloudflare Worker. The template includes // <-- REPLACE WITH YOUR ACTUAL DOMAIN in its source—confirming it’s a kit distributed to EvilTokens customers. Multiple operators share the same compromised sites as gate infrastructure.

Encrypted Cloudflare Worker Payload

The Cloudflare Worker serves an AES-256-GCM encrypted HTML blob that decrypts client-side using the Web Crypto API. Key and IV rotate on every request—sandbox replays of captured HTML will fail to decrypt. Static analysis tools see only an encrypted blob.

Device Code Phishing

This is where EvilTokens diverges from traditional credential phishing but we are seeing a massive increase in Device Code phishing across a number of Phishing as a Service providers.

Instead of a fake login page, the decrypted payload displays a real Microsoft Device Code. This is a legitimate alphanumeric code generated through Microsoft’s Device Code OAuth flow. The target is instructed to visit microsoft[.]com/devicelogin and enter the code.

1. EvilTokens C2 calls Microsoft's /devicecode endpoint → Microsoft returns a real device code
2. Target enters the code on Microsoft's legitimate login page → Completes real MFA on Microsoft's real infrastructure
3. EvilTokens C2 polls Microsoft's /token endpoint → Receives OAuth access + refresh tokens
4. Attacker has persistent access to the target's M365 account → MFA was completed by the target, on Microsoft's real site

The critical insight: the target authenticates on Microsoft’s real domain, completing real MFA. There is no fake login page. No credentials are entered on an attacker-controlled site. The phishing page merely displays a code—authentication happens entirely on login.microsoftonline[.]com.

Token Replay and BEC

Captured OAuth tokens are replayed from Railway[.]com PaaS infrastructure to access target mailboxes. Automated refresh token exchange (BAV2ROPC) runs twice daily, maintaining persistent access for up to 90 days per compromised account.

EvilTokens is not a phishing kit—it is a productized SaaS platform.

The C2 hosts a marketing page for “MailVault — Enterprise Email Management Platform” with feature descriptions, uptime claims, and onboarding CTAs. Behind it sits a Vue.js admin panel implementing a full BEC webmail client. Each customer—identified by a Telegram handle—receives an isolated tenant with unique API credentials and a choice of deployment mode: Cloudflare Workers (encrypted, harder to detect) or self-hosted PHP (direct render).

BEC Capabilities

The admin panel—titled “Outlook” in the browser tab as a disguise—implements:

• Email access and send-as-target: read all emails, download attachments, and compose fraudulent messages that appear to come from the compromised account

• Token intelligence: JWT claim parsing flags Exchange Administrators and Global Administrators with a crown icon, enabling privilege escalation to access every mailbox in the target’s organization

• Keyword alerting: operators set keywords like “wire transfer” or “routing number” that are searched across all compromised mailboxes, with matches triggering instant Telegram notifications

• Organization enumeration: maps the target’s entire directory via EWS, identifying executives and financial staff for targeted social engineering

The most significant capability is EvilTokens’ integration of AI-powered email intelligence.

LLaMA Email Summarization

The platform’s summarization endpoint uses Meta’s LLaMA model to extract structured financial intelligence from target emails: account numbers, routing numbers, wire amounts, payment deadlines, and key financial relationships.

Operators don’t need to read through compromised mailboxes. AI distills an entire inbox into actionable BEC intelligence in seconds.

AI Translation

The platform also provides automatic email translation via OpenAI, enabling non-English-speaking operators to target English-speaking targets and vice versa—eliminating language as a barrier to BEC operations.

The Automated Kill Chain

AI is not being used to write phishing emails—it is being used to read and weaponize the target’s own financial communications. Time from token capture to actionable intelligence drops from hours to seconds.

By combining identity abuse (Device Code OAuth), SaaS delivery models, and AI-assisted analysis, EvilTokens enables operators to move from initial access to BEC activity in minutes rather than hours. The use of AI is not novel in isolation, but its application to post-compromise intelligence extraction represents a meaningful shift in attacker efficiency. Manual inbox review, a historically time-intensive phase of BEC, is now significantly compressed.

Security leaders should consider the following:

1. Disable Device Code authentication via Conditional Access unless required for headless devices—this eliminates the attack vector entirely.

2. Block Railway CIDRs (162.220.232.0/22, 162.220.234.0/22) via Conditional Access Named Locations.

3. Enable Continuous Access Evaluation (CAE) to reduce token revocation latency to near-real-time.

Organizations that have not restricted Device Code authentication or implemented strong Conditional Access controls remain exposed to this class of attack. Modern PhaaS platforms are no longer selling phishing pages—they are delivering complete, scalable criminal operations. Defenders should adapt accordingly.

For additional insight into the attack landscape and analyses of other dark web tools, visit Abnormal Intelligence, our threat intelligence data and research hub.

Indicators of Compromise

Domains

IP Addresses & CIDRs