{"id":284729,"date":"2026-07-01T17:50:00","date_gmt":"2026-07-01T21:50:00","guid":{"rendered":"https:\/\/news-you-need.com\/index.php\/2026\/07\/01\/eviltokens-device-code-phishing-kit-totally-more-evil-than-we-all-thought\/"},"modified":"2026-07-01T21:50:14","modified_gmt":"2026-07-02T01:50:14","slug":"eviltokens-device-code-phishing-kit-totally-more-evil-than-we-all-thought","status":"publish","type":"post","link":"https:\/\/news-you-need.com\/index.php\/2026\/07\/01\/eviltokens-device-code-phishing-kit-totally-more-evil-than-we-all-thought\/","title":{"rendered":"EvilTokens device-code phishing kit totally more evil than we all thought"},"content":{"rendered":"<p><a href=\"https:\/\/www.theregister.com\/cyber-crime\/2026\/07\/01\/eviltokens-device-code-phishing-kit-totally-more-evil-than-we-all-thought\/5265409\">EvilTokens device-code phishing kit totally more evil than we all thought<\/a><\/p>\n<p><a href=\"https:\/\/www.theregister.com\/cyber-crime\/2026\/07\/01\/eviltokens-device-code-phishing-kit-totally-more-evil-than-we-all-thought\/5265409\">https:\/\/www.theregister.com\/cyber-crime\/2026\/07\/01\/eviltokens-device-code-phishing-kit-totally-more-evil-than-we-all-thought\/5265409<\/a><\/p>\n<p>Publish Date: <a href=\"publish_date]\">2026-07-01 17:50:00<\/a><\/p>\n<p>Source Domain: <a href=\"www.theregister.com\">www.theregister.com<\/a><\/p>\n<p class=\"kicker \" style=\"\">cyber-crime<\/p>\n<p class=\"subtitle \" style=\"\">It&#8217;s a &#8216;complete BEC operations environment,&#8217; Talos researcher says<\/p>\n<p>EvilTokens, the device-code phishing kit that can allow criminals to bypass multi-factor authentication (MFA) and silently authenticate as the victim to the organization&#8217;s Microsoft 365 applications, appears to be even more insidious than we all thought.<\/p>\n<p>Cisco Talos incident responders on Wednesday described how the lure reaches a victim&#8217;s inbox, and revealed new capabilities alongside a \u201cmore sophisticated evasion approach\u201d than documented in earlier EvilTokens research.<\/p>\n<p>Talos uncovered a phishing-as-a-service (PhaaS) operator panel, branded \u201cARToken,\u201d that appears to be an EvilTokens customer, according to security research engineer Michael Kelley, who noted the phishing operation shares infrastructure, API contracts, and operational patterns with the EvilTokens platform.<\/p>\n<p>EvilTokens was first documented by French cybersecurity firm Sekoia in March, and in April Microsoft said the device-code phishing campaign was compromising hundreds of organizations daily.\u00a0<\/p>\n<p>&#8220;Since March 15, 2026, we have observed 10 to 15 distinct campaigns launching every 24 hours,&#8221; Microsoft VP of security research Tanmay Ganacharya told <span class=\"italic m-italic \" data-lab-italic=\"italic\">El Reg<\/span> at the time. \u201cEach campaign is distributed at scale, targeting hundreds of organizations with highly varied and unique payloads, making pattern-based detection more challenging.\u201d<\/p>\n<p>While most subsequent analysis has covered EvilTokens\u2019 panel and phishing kit, \u201cwhat it has not shown is how an ARToken lure actually reaches an inbox,\u201d Kelley said on Wednesday. \u201cTalos recovered two near-identical messages, sent roughly four minutes apart on April 20, 2026, that initiate the chain. The tradecraft is targeted, not spray-and-pray.\u201d<\/p>\n<p>Specifically, the email lure abused a real vendor relationship between a US life-sciences company and a legitimate plumbing and fire-protection contractor&#8230;.<\/p>\n<p><a href=\"https:\/\/www.theregister.com\/cyber-crime\/2026\/07\/01\/eviltokens-device-code-phishing-kit-totally-more-evil-than-we-all-thought\/5265409\">Source<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>EvilTokens device-code phishing kit totally more evil than we all thought https:\/\/www.theregister.com\/cyber-crime\/2026\/07\/01\/eviltokens-device-code-phishing-kit-totally-more-evil-than-we-all-thought\/5265409 Publish Date: 2026-07-01&#8230;<\/p>\n","protected":false},"author":1,"featured_media":284730,"comment_status":"closed","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"https:\/\/image.theregister.com\/5265456.jpg?imageId=5265456&x=0&y=0&cropw=100&croph=100&panox=0&panoy=0&panow=100&panoh=100&width=1200&height=683","fifu_image_alt":"","footnotes":""},"categories":[15],"tags":[24,25],"class_list":["post-284729","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cybersecurity","tag-cybersecurity","tag-phishing"],"_links":{"self":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/284729"}],"collection":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/comments?post=284729"}],"version-history":[{"count":1,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/284729\/revisions"}],"predecessor-version":[{"id":284731,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/284729\/revisions\/284731"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/media\/284730"}],"wp:attachment":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/media?parent=284729"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/categories?post=284729"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/tags?post=284729"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}