EvilToken: The AI-Powered Phishing Kit That Defeats MFA and Targets Saudi Financial M365 Environments

A sophisticated phishing-as-a-service toolkit called EvilToken is actively compromising Microsoft 365 accounts across financial institutions in the UAE and beyond — not by cracking passwords or defeating MFA, but by bypassing authentication entirely through the OAuth device code flow. According to Microsoft Defender and Sekoia research published in April 2026, this AI-amplified campaign has already hit over 340 organizations across five countries, with Middle Eastern financial firms explicitly named among the targets.

How EvilToken Defeats MFA Without Breaking It

The device code authentication flow was designed for input-constrained devices such as smart TVs and IoT endpoints that cannot easily display a browser login window. EvilToken weaponizes this legitimate OAuth 2.0 mechanism: the attacker initiates the device authorization flow, generating a short-lived code, and delivers that code to the victim through a highly convincing phishing lure — an RFP, an invoice, or a vendor onboarding request. When the victim enters the code on login.microsoftonline.com and completes their MFA challenge, they inadvertently authorize the attacker's session. The attacker's backend immediately harvests the OAuth access and refresh tokens, granting persistent account access without ever touching a password.

What makes EvilToken particularly dangerous is the automation layer. Traditional device code attacks were manual and narrow in scope, limited by the OAuth specification's standard 15-minute code expiration window. EvilToken solves this with a dynamic code generation engine that produces fresh, live codes the moment a victim clicks a phishing link — effectively eliminating the expiration constraint. The backend infrastructure, built on Railway.com and Node.js, spins up thousands of short-lived polling nodes rotated continuously to evade signature-based detection and IP reputation filtering.

Generative AI: From Generic Lures to Precision Targeting

Prior device code phishing campaigns relied on generic, low-effort lures that security-aware employees could identify. EvilToken changes this calculus by integrating generative AI to produce hyper-personalized messages tailored to each target's role and organization. A compliance officer at a Saudi bank might receive what appears to be a SAMA regulatory update requiring document re-submission through a shared portal. A finance director might receive an AI-crafted invoice approval request using real vendor names scraped from LinkedIn or company websites. The result is a campaign that looks indistinguishable from legitimate internal communications — one that defeats both security awareness training and technical MFA controls simultaneously. Microsoft researchers noted that the AI component generates unique email bodies for each target, making bulk signature-based detection in email gateways largely ineffective.

Scope and Impact: The UAE Exposure Saudi CISOs Must Take Seriously

Sekoia's analysis of EvilToken infrastructure identified campaigns with global reach, with the United Arab Emirates explicitly listed among the most affected countries alongside the United States, Canada, France, Australia, India, and Switzerland. This should concern Saudi financial CISOs directly. Many Saudi banking groups operate shared Microsoft 365 tenants, joint IT infrastructure, or outsourced helpdesks across GCC boundaries. A compromised M365 account in a Dubai branch can provide immediate lateral movement paths into Riyadh-based systems — particularly where conditional access policies and tenant segmentation are not enforced between legal entities. Cross-border exposure in the GCC is not a theoretical risk; it is the operational reality for every large Saudi financial institution with regional presence.

The SAMA CSCC and NCA ECC Compliance Angle

SAMA's Cyber Security Framework (CSCC) Domain 3 — Identity and Access Management — mandates that financial institutions implement strong authentication controls and monitor privileged and non-privileged account activity. EvilToken-style attacks expose a critical gap that regulatory documentation typically misses: SAMA CSCC assessments commonly evidence the presence of MFA enrollment, but not resilience against token theft or OAuth authorization abuse. An institution can be fully documented as MFA-compliant while remaining entirely vulnerable to device code phishing, because the victim authenticates successfully — MFA fires, the code is approved, and the organization's logs show a clean login event.

NCA ECC Control 2-11 similarly requires session management controls and prevention of unauthorized access through compromised credentials. EvilToken attacks leave anomalous OAuth token issuance events in Microsoft Entra ID audit logs — but only if those logs are being actively forwarded to a SIEM and monitored with detection rules specifically built for device code grant abuse. Organizations that have deployed Microsoft Sentinel or a third-party SIEM without these rules in place have no visibility into this attack vector.

Practical Steps to Harden Your M365 Environment Now

1. Disable device code flow for standard users. Use Conditional Access Authentication Strengths in Microsoft Entra ID to block the OAuth 2.0 device authorization grant for all users who do not genuinely require it. For most corporate environments, this is the entire user population. This single control eliminates the primary attack surface EvilToken exploits.
2. Migrate privileged accounts to phishing-resistant MFA. Transition finance staff, system administrators, and compliance teams to FIDO2 security keys (YubiKey, Feitian) or Windows Hello for Business. Unlike TOTP authenticator codes, FIDO2 credentials are cryptographically bound to the legitimate origin domain and cannot be relayed or reused by a PhaaS toolkit regardless of how convincing the lure is.
3. Enable Continuous Access Evaluation (CAE). CAE allows Entra ID to revoke tokens in near real-time when a risk signal is detected — such as an impossible travel alert or a threat intelligence hit on the token's source IP. This narrows the window of attacker utility even when a token has already been stolen.
4. Deploy detection rules for OAuth device code anomalies. Create SIEM alerts for device code authorization grants originating from unusual geographies, outside business hours, or from IP ranges not associated with known corporate egress points. Microsoft Sentinel's open-source EvilToken detection hunting queries are available on GitHub and should be deployed immediately.
5. Audit and restrict third-party OAuth app consents. EvilToken and similar toolkits can silently establish persistent delegated permissions on attacker-controlled OAuth applications. Run quarterly reviews of consented Enterprise Applications in Entra ID and revoke any permissions that are unexpected, unused, or granted to unrecognized applications.

Conclusion

EvilToken represents a structural evolution in credential theft: modern phishing no longer targets the password — it targets the authenticated session. For Saudi financial institutions, this is not merely a technology problem. It is a compliance gap. MFA implemented as TOTP or SMS OTP provides near-zero resistance to device code authorization abuse, because the user authenticates successfully and willingly. Organizations that have documented MFA deployment as a closed SAMA CSCC control should treat this campaign as an immediate prompt to re-evaluate whether that control is truly resilient — or merely compliant on paper. Regulators, and attackers, will expose the difference.

Is your organization prepared? Contact Fyntralink for a complimentary SAMA Cyber Maturity Assessment covering identity security, Microsoft Entra ID hardening, and OAuth risk management across your M365 environment.