Path & Payload

AI Phishing-as-a-Service Is a Marketing Operation

By mid-March, 2026, a campaign began that would eventually hit hundreds of organizations per day across the United States, Australia, Canada, France, and more than a dozen other countries. Targets received attachments β€” PDFs, HTML files, spreadsheets β€” that looked like things they had good reason to open: investment decks, cash flow analyses, DocuSign signing requests, and meeting invitations. Some of the attachment filenames included the recipient's name.

When a target clicked through, they arrived at a Microsoft verification page. They authenticated. The attacker received a valid OAuth token, persistent access to the target's Microsoft 365 environment, and within hours, an AI-assisted summary of finance-related inbox activity, including wire-transfer conversations, pending invoices and executive correspondence.

This is EvilTokens, a phishing-as-a-service toolkit first publicly documented by Sekoia's Threat Detection and Research team in March 2026 and analyzed in the months following by Microsoft and Cisco Talos. EvilTokens is not, by any useful definition, just a phishing campaign. It looks more like a demand generation program. The mechanism differs from what a B2B marketing team would recognize, but the operational architecture is the same.

The Infrastructure Is a Marketing Stack

EvilTokens is sold on Telegram, operated via bots, and structured as a subscription service. Affiliates receive access to a turnkey kit: pre-built lure templates segmented by target industry, automated backend infrastructure for code generation and token capture, and a full post-compromise toolkit. Cisco Talos, analyzing ARToken β€” an EvilTokens affiliate panel β€” documented more than 80 API endpoints for device code phishing, token persistence, email access, business email compromise operations, and SharePoint exfiltration, all accessible through a React-based dashboard.

That’s the operator panel of a SaaS platform. The attacker is the SaaS customer. The victim is the prospect. Credential harvest rate is the conversion metric.

Lure templates are organized by target persona: investment decks and cash flow analyses for finance teams, shipping notifications for logistics staff, payroll update notices for HR, and shared document alerts for general Microsoft 365 users. The platform's operators have publicly announced plans to extend phishing pages to Gmail and Okta in future releases β€” they have a product roadmap. The vocabulary is almost indistinguishable from a vendor announcement.

And EvilTokens isn’t an anomaly. Rockstar2FA and Tycoon2FA operate on the same model β€” dashboards, campaign tracking, subscriber access, template libraries β€” and were in wide use before EvilTokens entered the market. EvilTokens is notable for making device-code phishing central to the offering and pairing it with AI-assisted post-compromise BEC workflows.

The Reconnaissance Is Prospect Qualification

Before a single attachment is sent, operators confirm that target email addresses are active, map organizational structures using Microsoft Graph reconnaissance, and identify which accounts hold financial authority, administrative access, or access to privileged correspondence. Sekoia documented automated Azure subscription enumeration and API calls to Microsoft's GetCredentialType endpoint β€” a method used to confirm that an email address resolves to a real, active Microsoft account.

This is intent data. The goal is identical to what a B2B demand generation team achieves when buying a prospecting platform subscription: don't waste resources on unqualified targets. Identify who controls the money, who controls access, and who can be redirected without triggering an immediate alert.

The lure delivery compounds the qualification logic. Some campaigns use compromised domains, high-reputation hosting or trusted collaboration platforms to bypass reputation filters. In other cases, lures may still fail sender authentication but inherit legitimacy from lookalike SharePoint, Microsoft or cloud-service infrastructure.

The Lure Is a Personalization Engine

By March 19, 2026, Sekoia had catalogued 66 phishing attachments linked to EvilTokens campaigns. Most fell into recognizable categories like financial and investment documents impersonating board-level reports, meeting invitations, shipping notifications, HR policy updates β€” some with filenames that included the recipient's name.

This is behavioral personalization. It’s the same principle a marketing automation platform applies when pulling a prospect's name, company, and recent activity from a CRM record and inserting them into a follow-up email. The mechanism differs, but the operational logic is identical.

EvilTokens integrates large language models β€” Meta's Llama 3.1 and 3.3 via Groq-hosted infrastructure, and OpenAI's GPT-4o-mini β€” to generate lure content and draft business email compromise scenarios post-compromise. This is a content pipeline. The LLMs handle the copy, while the operator configures the campaign.

The tells that security awareness training has historically depended on β€” poor grammar, generic phrasing, implausible urgency, a sender address that doesn't match the domain β€” are absent from a well-configured EvilTokens campaign. The lures are professionally written because they were professionally generated. The sender is legitimate because it was previously compromised. The Microsoft login page is real because the device code authentication flow redirects to Microsoft's actual infrastructure.

Microsoft's VP of security research, describing the campaign to The Register, noted that each campaign deployed highly varied and unique payloads expressly to frustrate pattern-based detection. This is essentially A/B testing against a changing algorithm β€” conversion rate optimization applied to evasion.

Post-Compromise Is Pipeline Qualification

EvilTokens operators don’t treat every captured token equally. That’s what makes post-compromise look more like a conversion funnel than a credential-harvesting operation.

Once a token is obtained, the platform's AI-augmented post-compromise pipeline scores each account for financial exposure. Groq-hosted Llama models triage captured inboxes, identifying wire transfer conversations, pending invoice approvals, executive correspondence, and access to financial systems. Accounts with high financial exposure receive the full treatment. Others may simply be harvested for credentials and recycled as future lure senders β€” reprocessed into the top of the funnel.

The highest-priority accounts receive persistent access mechanisms: inbox forwarding rules, Primary Refresh Token conversion for device registration in Entra ID, and silent re-authentication across Microsoft 365 services. As Sekoia researchers noted, a captured refresh token can be used to register an additional device in Entra ID, after which the attacker can authenticate silently as the victim across every service that account can reach, without triggering a credential prompt or MFA challenge.

This is lead scoring. The qualification work that happened before the lure was sent was designed to ensure that a successful compromise returned proportional value β€” and that the most valuable accounts were handled with proportionally more investment.

Commoditization Removed the Quality Floor

A criminal without the expertise to build a phishing kit, configure backend infrastructure, generate convincing lure content, or conduct post-compromise email triage can subscribe to EvilTokens via Telegram and deploy campaigns that match the output quality of a specialized threat actor. The operator "eviltokensadmin" manages updates, adds new phishing templates, and distributes through a bot interface. The affiliate's job is to configure the target list and collect the results.

Since March 15, 2026, Microsoft has tracked 10 to 15 distinct EvilTokens campaigns launching every 24 hours, each targeting hundreds of organizations. Push Security documented a 37.5-fold increase in detected device code phishing pages in 2026 [LINK NEEDED], driven primarily by EvilTokens activity. The platform reached more than 1,000 active phishing domains within weeks of its public discovery.

The quality floor for a PhaaS campaign used to be a detection signal. Generic lures, impersonal language, mismatched sender domains, syntactically awkward urgency β€” these were artifacts of low investment, and defenders learned to look for them. EvilTokens makes most of these quality signals obsolete. AI generation eliminates the grammar and language tells. Lures sent from compromised accounts pass every sender authentication check. Device code authentication redirects users to Microsoft's real login infrastructure, eliminating the fake login page. Polymorphic payload generation β€” unique attachments, unique URLs, unique code variants per campaign β€” eliminates pattern-based detection.

There’s just no craftwork failure to catch. What remains detectable is the behavior that follows.

The Attack Is a Funnel, and Defense Needs to Map It

Security awareness training is built for the top of the funnel. Spot the suspicious email. Check the sender domain. Look for urgency language and bad grammar. Don't click unknown links. These habits were calibrated for a class of attack that EvilTokens has substantially retired.

If an attack has distinct operational stages β€” qualification, delivery, engagement, conversion, post-conversion β€” then controls applied only at delivery become single points of failure when delivery improves. A campaign that passes SPF and DKIM validation, generates personalized lures via LLM, and redirects users to genuine Microsoft authentication infrastructure is not meaningfully constrained by delivery-stage defenses.

The stages where friction still applies are later in the chain. The device code flow itself is restrictable through Conditional Access policy, scoped to approved users, devices, and locations, and Microsoft explicitly recommends this control. Post-compromise persistence β€” anomalous inbox rules, unexpected device registrations in Entra ID, unusual token activity across Microsoft Graph β€” produces forensic signals even when the lure did not. Those signals require detection tooling and response investment to be actionable.

The question for security teams is whether their detection and response posture is calibrated to the stages where the attack is still visible β€” and whether the funnel logic their attacker is using has any corresponding structure in the logic of their defense.

Sources

#Perspectives