Cybercrime groups no longer lurk in shadows. They build product roadmaps. They run customer support channels. They price tiers and chase user growth. The latest evidence comes from a sophisticated phishing-as-a-service operation that treats its offerings with the discipline of a venture-backed startup.
Huntress researchers documented the shift in striking numbers. Device code phishing attacks jumped 1,380% in the first four months of 2026 compared with the second half of 2025. Over half of the incidents traced back to two large correlated waves. The service behind much of this growth goes by EvilTokens. (TechRadar, June 24, 2026)
Subscription prices start at $600. Top tiers reach $1,500. Buyers receive a complete toolkit that bypasses multi-factor authentication and generates unique, personalized lures for every target. No two phishing messages look alike across hundreds of incidents. Such variation once required handcrafted effort reserved for high-value espionage. Now any subscriber can deploy it at volume.
“We’re seeing a clear maturation of the phishing-as-a-service (PhaaS) market as threat actors increasingly integrate AI workflows into their product offerings,” the Huntress report states. “The result is directly observable in our telemetry: a 1,380% increase in device code phishing attacks detected between July–December 2025 and January–April 2026, with over 50% of those incidents linked to two major waves of correlated incidents.”
Furthermore, “across hundreds of incidents associated with EvilTokens, no two phishing lures were identical. This level of per-victim personalization was previously limited to targeted, manually crafted campaigns. Now, it’s achievable at scale by any threat actor at the price of a subscription service.”
The operation sells openly on Telegram. Dedicated channels handle sales, support, updates. Buyers get bots that manage deployment. This mirrors legitimate software-as-a-service models complete with churn reduction and feature requests. But the product steals enterprise credentials.
Microsoft first sounded alarms in early April. Its Defender Security Research team tracked a widespread campaign that abused the device code authentication flow. Attackers no longer generate static codes that expire after 15 minutes. They spin up fresh codes the instant a victim clicks the link. The countdown begins only upon interaction. Success rates climbed. (Microsoft Security Blog, April 6, 2026)
“This activity aligns with the emergence of EvilTokens, a phishing-as-a-service (PhaaS) toolkit identified as a key driver of large-scale device code abuse,” Microsoft stated. The campaign marked “a significant escalation in threat actor sophistication” since earlier efforts observed in February 2025.
Automation runs deep. Backend infrastructure on platforms such as Railway.com spins up thousands of unique polling nodes. Complex Node.js logic checks token status every few seconds. Generative AI crafts email themes around RFPs, invoices, manufacturing topics tailored to the recipient’s industry or recent activity. Reconnaissance against targets can begin 10 to 15 days before the lure arrives.
Once inside, attackers map the organization via Microsoft Graph. They target finance and executive accounts. Malicious inbox rules ensure persistence and quietly forward sensitive mail. Device registration creates primary refresh tokens for long-term access. The entire chain runs with minimal human oversight after initial setup.
Sekoia’s Threat Detection and Research team uncovered the kit in March through monitoring of phishing communities. The service launched in mid-February. It quickly gained traction with a private channel for paying customers and an ecosystem of bots. Later analysis revealed integration of large language models including Meta’s Llama series and OpenAI’s GPT-4o mini to automate business email compromise tasks after initial access. (Sekoia Blog, March 30, 2026)
Other researchers saw similar patterns. Barracuda detected more than 7 million device code phishing attempts in a single recent month, many tied to EvilTokens. Push Security reported a 37.5 times increase in detected phishing pages early in the year. The kit’s popularity spawned at least 14 copycat variants. (Barracuda Blog, April 23, 2026)
This isn’t isolated innovation. Europol’s 2026 Internet Organised Crime Threat Assessment describes criminal networks harnessing AI and automation to expand operations. Fraud networks personalize social engineering at previously impossible speeds and volumes. Agentic AI that handles end-to-end processes without constant direction raises the threat further. (Europol IOCTA 2026)
Broader industry reports echo the trend. Phishing emails using AI reached 82.6% in some analyses. Generative tools removed safety restrictions let attackers produce flawless copy, images, even voice clones. Initial access brokers harvest credentials then auction them to ransomware groups. The entire supply chain professionalizes.
Yet defenders face structural disadvantages. Enterprises still rely on passwords and basic MFA that these attacks render ineffective. Conditional access policies can block device code flows in many cases. Education campaigns warn users against unexpected sign-in prompts asking them to visit microsoft.com/devicelogin and paste a code. But scale favors the attackers.
Token revocation helps after detection. Sign-in risk policies trigger re-authentication. Phishing-resistant methods such as FIDO keys limit exposure. Still, the economics work heavily in the criminals’ favor. One compromised executive account can yield data worth millions in ransomware or intellectual property theft. The $600 subscription looks cheap.
So the maturation continues. EvilTokens and its imitators iterate quickly. New features appear. Support tickets get answered. Pricing adjusts to demand. The groups study telemetry from their own campaigns the way product teams review usage metrics.
Organizations cannot treat this as another passing phishing variant. The infrastructure, the business model, the AI integration point to sustained investment and growth. Defenders must match that discipline with faster detection, stricter identity controls, and a recognition that the adversary now operates with startup efficiency and venture-scale ambition.


WebProNews is an iEntry Publication