Short answer: A meaningful inflection point, but probably not a true watershed. EvilTokens consolidates several existing techniques into the first commodified, AI-end-to-end device code phishing service — significant, but the underlying attack and its mitigations are not new.
- Microsoft Security Blog — Inside an AI-enabled device code phishing campaign (April 6, 2026)
- Huntress — Riding the Rails: Threat Actors Abuse Railway.com PaaS as Microsoft 365 Token Attack Infrastructure (March 20, 2026; updated March 23)
- Sekoia — New widespread EvilTokens kit: device code phishing as-a-service – Part 1 (March 30, 2026)
- Sekoia — EvilTokens: an AI-augmented Phishing-as-a-Service for automating BEC fraud – Part 2 (April 7, 2026)
- First-of-its-kind PhaaS commodification. Sekoia assesses EvilTokens is the first PhaaS to offer turnkey Microsoft device code phishing pages with complementary account-takeover tooling, and separately the first PhaaS to ship AI-augmented post-compromise tooling.
- Microsoft frames it as a step-change. Its Defender team calls it a significant escalation since the Storm-2372 device code phishing campaign of February 2025, citing AI-driven infrastructure, hyper-personalized lures, and dynamic code generation that defeats the 15-minute device-code expiry.
- AI fused into every stage. Sekoia documents a chained Llama-3.1 / Llama-3.3 (via Groq) and gpt-4o-mini pipeline that ingests up to 5,000 emails to summarise exploitable financial exposure, then drafts three tailored BEC emails matching the victim’s writing style — compressing reconnaissance-to-fraud from days to minutes.
- Scale arrived fast. Sekoia tracked over 1,000 EvilTokens domains by 23 March 2026; Huntress observed an active campaign targeting Microsoft 365 identities across more than 340 organizations in five countries, exploding from 3 cases in February to hundreds within weeks.
- PaaS weaponization with clean reputation. Railway-hosted infrastructure produces logins from IP space Microsoft has no reason to score as risky, neutralizing reputation-based defenses.
- The underlying technique is years old. OAuth device-code abuse is well-documented; Storm-2372 (Feb 2025), Volt Typhoon-adjacent campaigns, and Huntress’s own prior research all preceded this. EvilTokens iterates on tradecraft rather than inventing it.
- Standard mitigations still work. Microsoft’s guidance — block the device code flow via Conditional Access, require phishing-resistant MFA (FIDO2/passkeys), require compliant devices, enable Continuous Access Evaluation — all defeat this attack class. Phishing-resistant auth in particular is fully effective.
- Defenders responded within the operational window. Huntress pushed a Conditional Access Policy blocking Railway IPs to all eligible tenants; Cloudflare took down workers.dev pages; Microsoft shipped detections. Huntress notes three IPs accounted for roughly 84% of observed events — highly concentrated, easily blockable infrastructure.
- Identity-layer telemetry still catches it. Per Huntress, the attack is visible in authentication logs even when every other layer (URL, domain, lure) is laundered through legitimate services. The detection problem is unsolved only for tenants without identity-layer monitoring.
- AI here is automation, not new capability. The LLM use is impressive but uses commodity APIs (Groq, OpenAI). Any future kit can replicate it. EvilTokens raises the floor for low-skill actors more than it raises the ceiling for sophisticated ones.
- PhaaS as a model is mature. Tycoon 2FA, Sneaky 2FA, and Mamba 2FA all preceded this. It is the next entrant in an established market, not a paradigm shift.
The watershed-feeling element is the AI-driven post-compromise pipeline industrializing BEC at the kit level. The attack itself, and what stops it, is largely the same conversation defenders have been having since 2023.
If you treat “watershed” as “the moment defenders without phishing-resistant MFA and Conditional Access for device code flow stop being defensible,” then yes. If you treat it as “a novel attack class,” then no.