📢 Explosion du device code phishing en 2026 : 37,5x d'augmentation et émergence du kit EvilTokens
📝 ## 🔍 Contexte
Article publié le 4 avril 2026 par Luke Jennings (VP R&D, Push Security) sur le blog pushsecurity.com.
📖 cyberveille : https://cyberveille.ch/posts/2026-09-04-explosion-du-device-code-phishing-en-2026-375x-d-augmentation-et-emergence-du-kit-eviltokens/
🌐 source : https://pushsecurity.com/blog/device-code-phishing
#DeviceCodePhishing #EvilTokens #Cyberveille
📰 Source : The Register — Article publié le 7 avril 2026, basé sur des déclarations de Tanmay Ganacharya, VP de la recherche en sécurité chez Microsoft, et un blog technique de Microsoft publié le 7 avril 2026. Contexte Depuis le 15 mars 2026, une campagne de phishing par device code OAuth 2.0 cible des centaines d’organisations à l’échelle mondiale. Microsoft observe 10 à 15 campagnes distinctes lancées toutes les 24 heures, chacune distribuée à grande échelle avec des payloads variés et uniques, rendant la détection par signatures difficile.
Part 2 of our #EvilTokens in-depth analysis is out!
This blog post details the AI-augmented features significantly facilitating #BEC fraud.
I believe that this AI-augmented post-compromise tooling represent a genuine breakthrough in the #PhaaS ecosystem.
Part 2 of our #EvilTokens analysis is live. TDR analysts uncovered the AI-augmented features that automate and scale #BEC workflows, marking a breakthrough in the #PhaaS ecosystem.
TDR analysts gained access to the #EvilTokens backend JavaScript and implemented device code phishing functions and token weaponisation.
This script also includes #LLM #prompts to analyse large volumes of emails, construct BEC attack scenarios, and draft targeted #BEC emails.
Microsoft Device-Code Phishing Attacks Compromise Hundreds Daily
A shocking reality check: a sophisticated Microsoft device-code phishing campaign, dubbed "EvilTokens," is breaching hundreds of organizations daily, using AI and automation to snoop through corporate email inboxes and steal financial data. This alarming threat is making short work of traditional security…
https://osintsights.com/microsoft-device-code-phishing-attacks-compromise-hundreds-daily
#MicrosoftDevicecodePhishing #Eviltokens #MfaBypass #AipoweredAttacks #AutomationbasedAttacks
A new wave of device code phishing shows how threat actors are scaling account compromise using AI and end‑to‑end automation. This campaign goes beyond traditional phishing by generating live authentication codes on demand, enabling higher success rates and sustained post‑compromise access.
📢 Montée en puissance du device code phishing en 2026 : analyse des kits et campagnes
📝 ## 🗓️ Contexte
Article publié le 4 avril 2026 par Luke Jennings sur le blog de Push Security.
📖 cyberveille : https://cyberveille.ch/posts/2026-04-04-montee-en-puissance-du-device-code-phishing-en-2026-analyse-des-kits-et-campagnes/
🌐 source : https://pushsecurity.com/blog/device-code-phishing/
#DeviceCodePhishing #EvilTokens #Cyberveille
🗓️ Contexte Article publié le 4 avril 2026 par Luke Jennings sur le blog de Push Security. Il s’agit d’une analyse technique approfondie de la montée en puissance du device code phishing en 2026, technique exploitant le flux OAuth 2.0 Device Authorization Grant. 📈 Tendance observée Push Security a observé une augmentation de 37,5x des pages de device code phishing détectées en 2026 par rapport à l’année précédente. Dix kits distincts ont été identifiés en circulation, dont le plus prominent est EvilTokens, premier kit PhaaS (Phishing-as-a-Service) criminel dédié au device code phishing, lancé en février 2026.
New #EvilTokens service fuels #Microsoft device code #phishing attacks
⚠️ Encrypted HTTPS traffic remains one of the main reasons #phishing is harder to confirm quickly. Automatic SSL decryption significantly expands visibility in every #ANYRUN Sandbox session. See real-world examples:
🔹 #EvilTokens. Decrypted traffic exposed hidden HTTPS API calls behind the OAuth Device Code phishing flow, revealing session control and attacker infrastructure: https://app.any.run/tasks/2e8014a8-a90a-41bf-90fa-aa65da40fd20/?utm_source=mastodon&utm_medium=post&utm_campaign=ssl_decryption_examples&utm_term=020426&utm_content=linktoservice
🔹#FlowerStorm. SSL decryption enabled early detection of this phishkit via POST requests to /google.php at initial page load, before any user interaction or data entry: https://app.any.run/tasks/25694db7-2771-480c-9ff0-773e399331d6/?utm_source=mastodon&utm_medium=post&utm_campaign=ssl_decryption_examples&utm_term=020426&utm_content=linktoservice
🔹 Phishing via Telegram API. Decrypted traffic revealed data exfiltration through the Telegram Bot API, helping identify localized campaigns via encrypted traffic patterns: https://app.any.run/tasks/49484bb5-28ec-44ca-835a-9b3235bd6419/?utm_source=mastodon&utm_medium=post&utm_campaign=ssl_decryption_examples&utm_term=020426&utm_content=linktoservice
⚡️ Reduce phishing risk across your organization. Integrate #ANYRUN into your SOC’s triage & response workflows: https://any.run/enterprise/?utm_source=mastodon&utm_medium=post&utm_campaign=ssl_decryption_examples&utm_term=020426&utm_content=linktoenterpriselanding
CyberVeille.ch
crep1x
Sekoia.io
Analyst207
The Threat Codex
The New Oil
ANY.RUN