EvilTokens Scales AI Phishing 1,380% With $600 Service That Bypasses MFA
Updated
Updated · TechRadar · Jun 24
EvilTokens Scales AI Phishing 1,380% With $600 Service That Bypasses MFA
1 articles · Updated · TechRadar · Jun 24
Summary
Huntress linked EvilTokens to a 1,380% jump in device-code phishing attacks detected in January-April 2026 versus July-December 2025, with more than half tied to two major incident waves.
AI drove that surge by generating unique lures for each victim at scale, a level of personalization Huntress said was once limited to manually crafted targeted campaigns.
Telegram listings show the phishing-as-a-service operation selling subscription tiers at $600, $1,000 and $1,500, lowering the barrier for criminals to launch sophisticated attacks.
MFA-bypass capability makes the service especially valuable, underscoring Huntress's warning that phishing-as-a-service is maturing into a startup-like market of cheap, powerful attack tools.
As criminals weaponize AI for phishing, can our defensive AI tools win this escalating cyber arms race?
Cybercrime is now sold as a cheap subscription; how can authorities disrupt these 'dark' tech startups?
With AI bypassing multi-factor authentication, is any online account truly safe from these sophisticated attacks?
1,380% Increase in Device Code Phishing: How EvilTokens Is Redefining AI-Driven Cybercrime in 2026
Overview
EvilTokens, a sophisticated Phishing-as-a-Service platform first seen in February 2026, has quickly changed the cybersecurity landscape by using AI to bypass multi-factor authentication and target Microsoft 365 organizations worldwide. Instead of just stealing passwords, EvilTokens manipulates authentication flows, making many traditional security measures ineffective. By March 2026, over 1,000 phishing domains were found, with attackers using a variety of convincing lures aimed at employees in finance, HR, logistics, and sales—roles especially vulnerable to business email compromise. This shift shows attackers now focus on tricking people into granting access, rather than breaking into systems directly.