Don't let cyberattacks disrupt your workflow. See what's at risk.
Utility navigation bar redirect icon
Portal LoginSupportBlogContact
Search
Portal LoginSupportBlogContact
Search
Get a Demo
Start for Free
Glitch effect
HomeResources
EvilTokens and the Rise of AI-Powered Phishing
Report
Jun 23, 2026

EvilTokens and the Rise of AI-Powered Phishing

Glitch effectGlitch effect
Download Your Report
By submitting this form, you accept our Terms of Service & Privacy Policy

Phishing just got a serious upgrade, and the old defenses aren’t built for it.

In early 2026, Huntress spotted a campaign called EvilTokens. It’s a Phishing-as-a-Service (PhaaS) platform with AI baked in, built to steal Microsoft 365 tokens at scale. There’s no malware or fake login pages. Just real Microsoft authentication flows, turned against the people using them.

Device code phishing attacks spiked 1,380% between July–December 2025 and January–April 2026. Across 344 victim organizations in a single wave, no two phishing lures were identical. That’s how attackers put AI to work, personalizing attacks fast enough to outpace filters and stay ahead of traditional defenses.

This report goes deeper into what Huntress found, what it means for the future of cybersecurity, and what you can do about it.

Evil Tokens Report

What’s inside the report

  • How device code phishing actually works. Spoiler alert: It abuses a legit Microsoft authentication flow, which makes it nearly impossible to spot using traditional defenses.
  • The AI components pushing scale. From personalized lures to automated inbox analysis that identifies wire transfer threads, AI is doing the heavy lifting for attackers.
  • The Railway and BL Networks playbooks. A breakdown of the specific infrastructure these attacks ran on, the event data behind them, and how Huntress disrupted the first wave.
  • A victim’s POV. A scenario showing exactly how a normal workday unravels when a real Microsoft sign-in is the start of a full-blown identity attack.
  • The defender’s checklist. Recommendations from Huntress and Microsoft security experts on immediate actions and longer-term hardening steps, including Conditional Access policies, token revocation, and what to watch for after a login.

What this means for defenders

Identity is where this fight is happening now. When attackers abuse real authentication flows, the tells shift from the email layer to the identity layer: who logged in, from where, and what changed after access was granted.

Frequently asked questions

Security teams, IT leaders, and partners managing Microsoft 365 environments, especially those who want to understand where phishing is headed and how to get ahead of it.

Yes. Download the full report above.

Telemetry from the Huntress Security Operations Center (SOC), drawn from real incidents observed across Huntress-protected organizations in early 2026, including detailed analysis of the Railway and BL Networks attack waves.