Cisco Talos Says EvilTokens Is More Than a Simple Phishing Kit
Cisco Talos says the device-code phishing ecosystem known as EvilTokens is more capable and more carefully operated than earlier reporting suggested. The campaign is designed to steal Microsoft authen...
Cisco Talos says the device-code phishing ecosystem known as EvilTokens is more capable and more carefully operated than earlier reporting suggested. The campaign is designed to steal Microsoft authentication tokens, bypass multi-factor authentication, and let attackers sign in to Microsoft 365 services as the victim.
In new research released Wednesday, Talos incident responders described how the phishing lure reaches targets and highlighted additional evasion features built into the operation. The team also identified a phishing-as-a-service panel called ARToken, which appears to be connected to EvilTokens through shared infrastructure, matching API behavior, and similar operational patterns.
Targeted delivery through a trusted vendor relationship
According to Talos researcher Michael Kelley, the phishing message was not a broad, low-effort spam campaign. Instead, it used a real business relationship between a U.S. life-sciences company and a legitimate plumbing and fire-protection contractor. The email impersonated an unpaid invoice notice and used the contractor’s real domain in the visible sender details.
Although the message body linked to a SharePoint page, the destination was an attacker-controlled copy hosted in a separate Microsoft 365 tenant. Because the link still pointed to a legitimate sharepoint.com address, the lure was less likely to raise suspicion or trigger common email filters. The reply-to field also sent responses to a different, unrelated domain.
A broader post-compromise toolkit
Talos says ARToken’s operator panel exposes more than basic device-code phishing. The platform includes token handling, persistence options, and a built-in business email compromise toolkit. That toolkit can:
- read victims’ Outlook inboxes
- send messages as the compromised user
- create inbox rules for forwarding or deleting mail
- monitor compromised accounts for selected keywords
The researchers said those features suggest a mature operation aimed at long-term access and monetization, rather than a one-off credential theft campaign. Talos also noted more advanced anti-analysis and evasion techniques than had been documented previously.
EvilTokens was first described by French security firm Sekoia in March, and Microsoft later warned that device-code phishing campaigns were affecting hundreds of organizations per day. Talos’ findings add to that picture, showing that the ecosystem may support a full business email compromise workflow, not just initial account capture.
