Extended Rapid Response: Zimperium's On-Device Coverage of the EvilTokens Multi-Brand Phishing Campaign

Sekoia.io's recent research exposes EvilTokens, a widespread Phishing-as-a-Service (PhaaS) kit that runs device-code phishing against Microsoft 365. The campaign uses trusted brand lures (DocuSign, Microsoft 365, Adobe) hosted on disposable Cloudflare Workers infrastructure.

Instead of harvesting passwords, the kit abuses Microsoft's OAuth device authorization grant: it tricks the victim into approving the attacker's device on the genuine Microsoft sign-in flow, bypassing both credential-phishing defenses and MFA. The page content is AES-GCM encrypted and decrypted in-browser to evade static analysis.

The EvilTokens campaign is significant because:

• It defeats both passwords and MFA: the victim approves the malicious device on Microsoft's own legitimate page.
• Sold as PhaaS with disposable Cloudflare Workers infrastructure, making static blocklisting ineffective.
• Stolen refresh tokens provide persistent access that survives password resets.
• Entry point is increasingly mobile: links are frequently opened on phones where endpoint controls are weakest.

Zimperium's Mobile Threat Defense (MTD) detects and blocks the EvilTokens phishing URLs directly on the mobile device, stopping the lure at the entry point before the victim ever reaches the device-code step. On top of this, our research team identified hundreds of new domains actively using this phishing kit. These IOCs can be found in the following Github repository.