New Widespread EvilTokens Kit: Device Code Phishing as-a-Service

    Tuesday, March 31, 2026 In: Threat Research Print

    Date: 03/31/2026

    Severity: High

    Summary

    EvilTokens is a newly identified phishing-as-a-service (PhaaS) kit that enables large-scale Microsoft device code phishing attacks, leveraging social engineering techniques and rapidly adopted by cybercriminals for Adversary-in-the-Middle (AitM) and Business Email Compromise (BEC) operations. Delivered via Telegram bots, the kit offers advanced features such as token harvesting, email harvesting, weaponization, reconnaissance, and AI-driven automation. Its growing adoption and planned expansion to platforms like Gmail and Okta indicate it is emerging as a significant threat in the phishing and BEC ecosystem.

    Indicators of Compromise (IOC) List

    Domains/Urls

    authdocspro.com

    backdoor-hub.com

    bumpgames.net

    carbatterygurgaon.com

    careldutoit-el.co.za

    dao.com.au

    docusend.networkssolutionmail.com

    eqfit.co.za

    eventcalender-schedule.com

    evobothub.org

    framebound.cloud

    infinitechai.org

    internalmemorecord.bxwancheng.com

    macmamo.com

    mirsanotolastik.com

    mirzanyapi.com

    newmobilepolojean.com

    notificationsmanagersec.com

    pelangiservice.com

    prcservis.com

    promanager.outboundciwidey.com

    serenitygovsupplys.com

    signaturerequired.thecoolcactus.com

    smstltle.net

    statushelper.aguasomos.com

    suctwocesonesstory.com

    thesafarigarden.com

    topbuysella.com

    totalhomesafe.com

    update.youcreadio.cfd

    well.atlantaperlnatal.com

    xlkconsulting.co.za

    yankeepine.co

    youremplregroup.com

    adobe-lar.denise-chxhistory-com-s-account.workers.dev

    docusign-vs4.finance-zltnservices-org-s-account.workers.dev

    onedrive-au8.hayixa9795-pazard-com-s-account.workers.dev

    adobe-b6d.tuwilika-fcsnam-com-s-account.workers.dev

    onedrive-23n.sbutler-stateservice-us-s-account.workers.dev

    onedrive-ac4.ryker-samik-dropmeon-com-s-account.workers.dev

    onedrive-33i.amittal-prodwaresol-com-s-account.workers.dev

    docusign-d0e.admin-treyripple-com-s-account.workers.dev

    adobe-t9r.thomas-gibson-clyde-enq-com-s-account.workers.dev

    onedrive-7fp.davarius-thackery-dropmeon-com-s-account.workers.dev

    adobe-h7l.gregcausey-hyundaicrenshaw-com-s-account.workers.dev

    sharepoint-uo2.angela-warrconstructioninc-onmicrosoft-com-s-account.workers.dev

    onedrive-hea.jhaas-hapnehartmedia-com-s-account.workers.dev

    page-custommmvx6290-9kb.snpfs90-outlook-com-s-account.workers.dev

    index-8ni.shirdav-mail-com-s-account.workers.dev

    docusign-gmx.medea-locallovechs-com-s-account.workers.dev

    index-izk.rifkit-protonmail-com-s-account.workers.dev

    docusign-t0o.accountsreceivable-greens-au-com-s-account.workers.dev

    adobe-7bf.signature-on-invoice-required-mail-com-s-account.workers.dev

    page-voicemail-3i6.ucbqzm9-ucl-ac-uk-s-account.workers.dev

    adobe-y73.letsgo-birdynyc-com-s-account.workers.dev

    onedrive-dsk.cassandra-warholak-ifrma-org-s-account.workers.dev

    docusign-u0p.kevin-domae-ca-s-account.workers.dev

    docusign-a5c.export-cellular-iberia-com-s-account.workers.dev

    docusign-14g.jhipolito-arrow-food-com-s-account.workers.dev

    adobe-qi2.pm-pdgrealty-proton-me-s-account.workers.dev

    adobe-8dt.ishaan-zvi-dropmeon-com-s-account.workers.dev

    adobe-of6.hayixa9795-pazard-com-s-account.workers.dev

    docusign-ffp.garciarodriguezt-student-wpunj-edu-s-account.workers.dev

    docusign-y8l.accountant-fitfranchisebrands-com-s-account.workers.dev

    adobe-mxg.snpfs90-outlook-com-s-account.workers.dev

    index-ap3.tyler2miler-proton-me-s-account.workers.dev

    adobe-yzz.ejkim-gsglobalusa-us-s-account.workers.dev

    docusign-520.mike-maplecityglass-net-s-account.workers.dev

    voicemail-l1b.thomas-gibson-clyde-enq-com-s-account.workers.dev

    docusign-ac3.christina-parsons-charter-comm-com-s-account.workers.dev

    docusign-o4x.bhc-credit-services-edl-bayreer-com-s-account.workers.dev

    onedrive-4um.accounting-malitzconstructioninc-co-s-account.workers.dev

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Detection Query 1 :

    domainname like "backdoor-hub.com" or siteurl like "backdoor-hub.com" or url like "backdoor-hub.com" or domainname like "onedrive-dsk.cassandra-warholak-ifrma-org-s-account.workers.dev" or siteurl like "onedrive-dsk.cassandra-warholak-ifrma-org-s-account.workers.dev" or url like "onedrive-dsk.cassandra-warholak-ifrma-org-s-account.workers.dev" or domainname like "adobe-of6.hayixa9795-pazard-com-s-account.workers.dev" or siteurl like "adobe-of6.hayixa9795-pazard-com-s-account.workers.dev" or url like "adobe-of6.hayixa9795-pazard-com-s-account.workers.dev" or domainname like "docusign-t0o.accountsreceivable-greens-au-com-s-account.workers.dev" or siteurl like "docusign-t0o.accountsreceivable-greens-au-com-s-account.workers.dev" or url like "docusign-t0o.accountsreceivable-greens-au-com-s-account.workers.dev" or domainname like "onedrive-33i.amittal-prodwaresol-com-s-account.workers.dev" or siteurl like "onedrive-33i.amittal-prodwaresol-com-s-account.workers.dev" or url like "onedrive-33i.amittal-prodwaresol-com-s-account.workers.dev" or domainname like "eventcalender-schedule.com" or siteurl like "eventcalender-schedule.com" or url like "eventcalender-schedule.com" or domainname like "careldutoit-el.co.za" or siteurl like "careldutoit-el.co.za" or url like "careldutoit-el.co.za" or domainname like "update.youcreadio.cfd" or siteurl like "update.youcreadio.cfd" or url like "update.youcreadio.cfd" or domainname like "xlkconsulting.co.za" or siteurl like "xlkconsulting.co.za" or url like "xlkconsulting.co.za" or domainname like "onedrive-au8.hayixa9795-pazard-com-s-account.workers.dev" or siteurl like "onedrive-au8.hayixa9795-pazard-com-s-account.workers.dev" or url like "onedrive-au8.hayixa9795-pazard-com-s-account.workers.dev" or domainname like "adobe-y73.letsgo-birdynyc-com-s-account.workers.dev" or siteurl like "adobe-y73.letsgo-birdynyc-com-s-account.workers.dev" or url like "adobe-y73.letsgo-birdynyc-com-s-account.workers.dev" or domainname like "mirzanyapi.com" or siteurl like "mirzanyapi.com" or url like "mirzanyapi.com" or domainname like "infinitechai.org" or siteurl like "infinitechai.org" or url like "infinitechai.org" or domainname like "carbatterygurgaon.com" or siteurl like "carbatterygurgaon.com" or url like "carbatterygurgaon.com" or domainname like "adobe-b6d.tuwilika-fcsnam-com-s-account.workers.dev" or siteurl like "adobe-b6d.tuwilika-fcsnam-com-s-account.workers.dev" or url like "adobe-b6d.tuwilika-fcsnam-com-s-account.workers.dev" or domainname like "page-voicemail-3i6.ucbqzm9-ucl-ac-uk-s-account.workers.dev" or siteurl like "page-voicemail-3i6.ucbqzm9-ucl-ac-uk-s-account.workers.dev" or url like "page-voicemail-3i6.ucbqzm9-ucl-ac-uk-s-account.workers.dev" or domainname like "evobothub.org" or siteurl like "evobothub.org" or url like "evobothub.org" or domainname like "docusign-y8l.accountant-fitfranchisebrands-com-s-account.workers.dev" or siteurl like "docusign-y8l.accountant-fitfranchisebrands-com-s-account.workers.dev" or url like "docusign-y8l.accountant-fitfranchisebrands-com-s-account.workers.dev" or domainname like "smstltle.net" or siteurl like "smstltle.net" or url like "smstltle.net" or domainname like "docusign-520.mike-maplecityglass-net-s-account.workers.dev" or siteurl like "docusign-520.mike-maplecityglass-net-s-account.workers.dev" or url like "docusign-520.mike-maplecityglass-net-s-account.workers.dev" or domainname like "adobe-lar.denise-chxhistory-com-s-account.workers.dev" or siteurl like "adobe-lar.denise-chxhistory-com-s-account.workers.dev" or url like "adobe-lar.denise-chxhistory-com-s-account.workers.dev" or domainname like "pelangiservice.com" or siteurl like "pelangiservice.com" or url like "pelangiservice.com" or domainname like "suctwocesonesstory.com" or siteurl like "suctwocesonesstory.com" or url like "suctwocesonesstory.com" or domainname like "adobe-8dt.ishaan-zvi-dropmeon-com-s-account.workers.dev" or siteurl like "adobe-8dt.ishaan-zvi-dropmeon-com-s-account.workers.dev" or url like "adobe-8dt.ishaan-zvi-dropmeon-com-s-account.workers.dev"

    Detection Query 2 :

    domainname like "well.atlantaperlnatal.com" or siteurl like "well.atlantaperlnatal.com" or url like "well.atlantaperlnatal.com" or domainname like "authdocspro.com" or siteurl like "authdocspro.com" or url like "authdocspro.com" or domainname like "docusign-u0p.kevin-domae-ca-s-account.workers.dev" or siteurl like "docusign-u0p.kevin-domae-ca-s-account.workers.dev" or url like "docusign-u0p.kevin-domae-ca-s-account.workers.dev" or domainname like "framebound.cloud" or siteurl like "framebound.cloud" or url like "framebound.cloud" or domainname like "index-ap3.tyler2miler-proton-me-s-account.workers.dev" or siteurl like "index-ap3.tyler2miler-proton-me-s-account.workers.dev" or url like "index-ap3.tyler2miler-proton-me-s-account.workers.dev" or domainname like "bumpgames.net" or siteurl like "bumpgames.net" or url like "bumpgames.net" or domainname like "dao.com.au" or siteurl like "dao.com.au" or url like "dao.com.au" or domainname like "docusend.networkssolutionmail.com" or siteurl like "docusend.networkssolutionmail.com" or url like "docusend.networkssolutionmail.com" or domainname like "eqfit.co.za" or siteurl like "eqfit.co.za" or url like "eqfit.co.za" or domainname like "internalmemorecord.bxwancheng.com" or siteurl like "internalmemorecord.bxwancheng.com" or url like "internalmemorecord.bxwancheng.com" or domainname like "macmamo.com" or siteurl like "macmamo.com" or url like "macmamo.com" or domainname like "mirsanotolastik.com" or siteurl like "mirsanotolastik.com" or url like "mirsanotolastik.com" or domainname like "newmobilepolojean.com" or siteurl like "newmobilepolojean.com" or url like "newmobilepolojean.com" or domainname like "notificationsmanagersec.com" or siteurl like "notificationsmanagersec.com" or url like "notificationsmanagersec.com" or domainanme like "prcservis.com" or siteurl like "prcservis.com" or url like "prcservis.com" or domainname like "promanager.outboundciwidey.com" or siteurl like "promanager.outboundciwidey.com" or url like "promanager.outboundciwidey.com" or domainname like "serenitygovsupplys.com" or siteurl like "serenitygovsupplys.com" or url like "serenitygovsupplys.com" or domainname like "signaturerequired.thecoolcactus.com" or siteurl like "signaturerequired.thecoolcactus.com" or url like "signaturerequired.thecoolcactus.com" or domainname like "statushelper.aguasomos.com" or siteurl like "statushelper.aguasomos.com" or url like "statushelper.aguasomos.com" or domainname like "thesafarigarden.com" or siteurl like "thesafarigarden.com" or url like "thesafarigarden.com" or domainname like "topbuysella.com" or siteurl like "topbuysella.com" or url like "topbuysella.com" or domainname like "totalhomesafe.com" or siteurl like "totalhomesafe.com" or url like "totalhomesafe.com" or domainname like "yankeepine.co" or siteurl like "yankeepine.co" or url like "yankeepine.co" or domainname like "youremplregroup.com" or siteurl like "youremplregroup.com" or url like "youremplregroup.com" or domainname like "docusign-vs4.finance-zltnservices-org-s-account.workers.dev" or siteurl like "docusign-vs4.finance-zltnservices-org-s-account.workers.dev" or url like "docusign-vs4.finance-zltnservices-org-s-account.workers.dev" or domainname like "onedrive-23n.sbutler-stateservice-us-s-account.workers.dev" or siteurl like "onedrive-23n.sbutler-stateservice-us-s-account.workers.dev" or url like "onedrive-23n.sbutler-stateservice-us-s-account.workers.dev" or domainname like "onedrive-ac4.ryker-samik-dropmeon-com-s-account.workers.dev" or siteurl like "onedrive-ac4.ryker-samik-dropmeon-com-s-account.workers.dev" or url like "onedrive-ac4.ryker-samik-dropmeon-com-s-account.workers.dev" or domainname like "docusign-d0e.admin-treyripple-com-s-account.workers.dev" or siteurl like "docusign-d0e.admin-treyripple-com-s-account.workers.dev" or url like "docusign-d0e.admin-treyripple-com-s-account.workers.dev" or domainname like "adobe-t9r.thomas-gibson-clyde-enq-com-s-account.workers.dev" or siteurl like "adobe-t9r.thomas-gibson-clyde-enq-com-s-account.workers.dev" or url like "adobe-t9r.thomas-gibson-clyde-enq-com-s-account.workers.dev"

    Detection Query 3 :

    domainname like "onedrive-7fp.davarius-thackery-dropmeon-com-s-account.workers.dev" or siteurl like "onedrive-7fp.davarius-thackery-dropmeon-com-s-account.workers.dev" or url like "onedrive-7fp.davarius-thackery-dropmeon-com-s-account.workers.dev" or domainname like "adobe-h7l.gregcausey-hyundaicrenshaw-com-s-account.workers.dev" or siteurl like "adobe-h7l.gregcausey-hyundaicrenshaw-com-s-account.workers.dev" or url like "adobe-h7l.gregcausey-hyundaicrenshaw-com-s-account.workers.dev" or domainname like "sharepoint-uo2.angela-warrconstructioninc-onmicrosoft-com-s-account.workers.dev" or siteurl like "sharepoint-uo2.angela-warrconstructioninc-onmicrosoft-com-s-account.workers.dev" or url like "sharepoint-uo2.angela-warrconstructioninc-onmicrosoft-com-s-account.workers.dev" or domainname like "onedrive-hea.jhaas-hapnehartmedia-com-s-account.workers.dev" or siteurl like "onedrive-hea.jhaas-hapnehartmedia-com-s-account.workers.dev" or url like "onedrive-hea.jhaas-hapnehartmedia-com-s-account.workers.dev" or domainname like "page-custommmvx6290-9kb.snpfs90-outlook-com-s-account.workers.dev" or siteurl like "page-custommmvx6290-9kb.snpfs90-outlook-com-s-account.workers.dev" or url like "page-custommmvx6290-9kb.snpfs90-outlook-com-s-account.workers.dev" or domainname like "index-8ni.shirdav-mail-com-s-account.workers.dev" or siteurl like "index-8ni.shirdav-mail-com-s-account.workers.dev" or url like "index-8ni.shirdav-mail-com-s-account.workers.dev" or domainname like "docusign-gmx.medea-locallovechs-com-s-account.workers.dev" or siteurl like "docusign-gmx.medea-locallovechs-com-s-account.workers.dev" or url like "docusign-gmx.medea-locallovechs-com-s-account.workers.dev" or domainname like "index-izk.rifkit-protonmail-com-s-account.workers.dev" or siteurl like "index-izk.rifkit-protonmail-com-s-account.workers.dev" or url like "index-izk.rifkit-protonmail-com-s-account.workers.dev" or domainname like "adobe-7bf.signature-on-invoice-required-mail-com-s-account.workers.dev" or siteurl like "adobe-7bf.signature-on-invoice-required-mail-com-s-account.workers.dev" or url like "adobe-7bf.signature-on-invoice-required-mail-com-s-account.workers.dev" or domainname like "docusign-a5c.export-cellular-iberia-com-s-account.workers.dev" or siteurl like "docusign-a5c.export-cellular-iberia-com-s-account.workers.dev" or url like "docusign-a5c.export-cellular-iberia-com-s-account.workers.dev" or domainname like "docusign-14g.jhipolito-arrow-food-com-s-account.workers.dev" or siteurl like "docusign-14g.jhipolito-arrow-food-com-s-account.workers.dev" or url like "docusign-14g.jhipolito-arrow-food-com-s-account.workers.dev" or domainname like "adobe-qi2.pm-pdgrealty-proton-me-s-account.workers.dev" or siteurl like "adobe-qi2.pm-pdgrealty-proton-me-s-account.workers.dev" or siteurl like "adobe-qi2.pm-pdgrealty-proton-me-s-account.workers.dev" or url like "adobe-qi2.pm-pdgrealty-proton-me-s-account.workers.dev" or domainname like "docusign-ffp.garciarodriguezt-student-wpunj-edu-s-account.workers.dev" or siteurl like "docusign-ffp.garciarodriguezt-student-wpunj-edu-s-account.workers.dev" or url like "docusign-ffp.garciarodriguezt-student-wpunj-edu-s-account.workers.dev" or domainname like "adobe-mxg.snpfs90-outlook-com-s-account.workers.dev" or siteurl like "adobe-mxg.snpfs90-outlook-com-s-account.workers.dev" or url like "adobe-mxg.snpfs90-outlook-com-s-account.workers.dev" or domainname like "adobe-yzz.ejkim-gsglobalusa-us-s-account.workers.dev" or siteurl like "adobe-yzz.ejkim-gsglobalusa-us-s-account.workers.dev" or url like "adobe-yzz.ejkim-gsglobalusa-us-s-account.workers.dev" or domainname like "voicemail-l1b.thomas-gibson-clyde-enq-com-s-account.workers.dev" or siteurl like "docusign-ac3.christina-parsons-charter-comm-com-s-account.workers.dev" or url like "docusign-ac3.christina-parsons-charter-comm-com-s-account.workers.dev" or domainname like "docusign-o4x.bhc-credit-services-edl-bayreer-com-s-account.workers.dev" or siteurl like "docusign-o4x.bhc-credit-services-edl-bayreer-com-s-account.workers.dev" or url like "docusign-o4x.bhc-credit-services-edl-bayreer-com-s-account.workers.dev" or domainname like "onedrive-4um.accounting-malitzconstructioninc-co-s-account.workers.dev" or siteurl like "onedrive-4um.accounting-malitzconstructioninc-co-s-account.workers.dev"

    Reference:    

    https://blog.sekoia.io/new-widespread-eviltokens-kit-device-code-phishing-as-a-service-part-1/    


    Tags

    MalwarePhishingAiTMMicrosoftTelegramEmail HarvestingAISocial EngineeringPhaaS

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2026 by Gurucul - All rights reserved.