Imagine completing a two-factor authentication check on a real Microsoft login page and still handing a criminal full access to your email account. That is not a hypothetical. According to new research published this week by cybersecurity company Huntress, it happened across hundreds of organisations in the first four months of 2026 and the victims had no idea.
The research, titled “EvilTokens and the Rise of AI-Powered Phishing,” documents a criminal phishing-as-a-service (PhaaS) platform that combined artificial intelligence, legitimate cloud infrastructure, and a real Microsoft authentication flow to steal access tokens from Microsoft 365 accounts at unprecedented scale. The result was a 1,380% increase in device code phishing attacks detected between July–December 2025 and January–April 2026.
What Is Device Code Phishing and Why Is It So Dangerous?
Device code phishing exploits a legitimate OAuth authentication flow originally designed for devices that cannot easily accept a password, such as smart televisions. An attacker generates a real device code from Microsoft, then tricks a victim into visiting the genuine Microsoft authentication page and entering that code. The victim logs in normally and completes MFA, but because the attacker initiated the flow, they receive the resulting access token.
There is no fake login page. No malware. No suspicious attachment. The victim interacts entirely with legitimate Microsoft infrastructure, making the attack exceptionally difficult to recognise and even harder to detect after the fact.
“Device code phishing works really well because the user is typically only exposed to real Microsoft links and logins.” – Dave Kleinatland, Principal Product Researcher, Huntress
AI at the Heart of the Operation
What sets EvilTokens apart from earlier phishing toolkits is the depth of AI integration across the attack chain. The platform, marketed via Telegram and available on subscription from $600, baked generative AI into multiple stages of its operation:
- Lure generation: AI crafted a unique, personalised phishing email for every target based on their job function and context. Across 344 victim organisations hit in a single wave, no two phishing messages were identical, a level of personalisation previously only achievable in targeted, manually crafted campaigns.
- Post-compromise analysis: Once a token was captured, an AI pipeline automatically read the victim’s inbox, calendar, and documents to identify high-value targets and payment threads ripe for business email compromise (BEC) attacks.
- BEC scenario planning: AI tools mapped out follow-on attack scenarios, identifying which colleagues to impersonate and constructing social engineering messages to target them.
The platform also hosted phishing landing pages on Cloudflare Workers, a legitimate serverless hosting service, and wrapped malicious URLs inside redirect links from trusted security vendors, including Cisco, Trend Micro, and Mimecast, helping emails bypass standard filtering controls.
Hiding in Plain Sight: The Infrastructure Play
A critical element of the campaign’s success was its use of legitimate cloud platforms as attack infrastructure. Huntress traced the first major wave of incidents back to Railway, a developer platform-as-a-service that allows users to quickly deploy internet-facing applications. Railway’s clean IP reputation meant that Microsoft’s own risk scoring flagged zero incidents linked to its infrastructure.
In total, 57.5% of device code phishing attacks observed by Huntress were linked to either Railway or BL Networks, the infrastructure behind BitLaunch, a cloud hosting service that allows servers to be rented using cryptocurrency. When Huntress deployed a Conditional Access Policy to block Railway IPs across eligible customer tenants, over 600 incidents were prevented mid-campaign. The attackers simply pivoted to BL Networks’ infrastructure within days.
“This campaign was so dangerous because it combined clean, reputable cloud infrastructure with device code phishing that abused legitimate authentication processes.” – Lindsey O’Donnell-Welch, Huntress
The Criminal Marketplace Behind the Attack
EvilTokens operates with the polish of a legitimate software business. Its Telegram channel features pricing structures, demo videos, feature update announcements, and a 24/7 support team. Three products are offered: a B2B Sender from $600, an SMTP Sender at $1,000, and an Office 365 Capture Link, which includes the device code phishing kit, at $1,500.
Subscribers receive access to a full dashboard with customisable phishing lure templates, a captured token management panel, and role-based access controls for adding administrators. The barrier to launching a sophisticated, AI-personalised identity attack is now a subscription fee.
What Defenders Should Do Now
Huntress stresses that no single control catches this attack chain. The firm recommends a combination of immediate and longer-term steps:
- Search sign-in logs for authentications originating from Railway IP addresses, as any successful authentication from that IP space should be treated as a confirmed compromise.
- Block device code authentication flows in Microsoft 365 via Conditional Access, restricting the flow to only the identities that genuinely require it.
- For confirmed compromises, disable the account, revoke refresh tokens, review all Graph API queries initiated by the account, and audit newly registered devices.
- Enable Continuous Access Evaluation to reduce token revocation latency from around one hour to minutes.
- Update user training to reflect the new reality: entering a code on a genuine Microsoft login page can still be the final step in a phishing attack.
The Bigger Picture
Huntress CEO Kyle Hanslovan, a former US Air Force and NSA cyber operator, framed the findings as a structural shift rather than a single campaign. “While most businesses are still figuring out where artificial intelligence and automated workflows fit into their operations, adversaries have already put it to work,” he wrote in the report. “And they’re learning fast.”
The 10x increase in device code phishing attempts, jointly recorded by Huntress and Microsoft in the first half of 2026 compared to the second half of 2025, signals that this has moved firmly out of edge-case territory. With PhaaS platforms lowering the skill barrier to near zero and AI enabling hyper-personalised lures at machine speed, the identity layer has become the primary battleground in enterprise security.
The full EvilTokens report, including indicators of compromise, IP addresses, and a defender’s checklist, is available here: https://www.huntress.com/resources/eviltokens-ai-powered-phishing-report
