Two-factor authentication has long been regarded as one of the most effective ways of protecting accounts. However, the latest phishing campaigns show that even this layer of security may prove insufficient if a user is tricked into authorising a cybercriminal’s session.
ESET analysts are warning about the EvilTokens tool, which operates on a ‘phishing-as-a-service’ model. This means that even people without advanced technical knowledge can purchase and use a ready-made kit to carry out attacks. The tool appeared on Telegram channels in early 2026 and was quickly used in a campaign targeting over 340 organisations across several countries. Microsoft has also described an AI-powered variant of this attack, in which device codes and personalised messages were automatically generated to increase the effectiveness of the phishing campaign.
The attack exploits a legitimate Microsoft 365 login mechanism. The victim receives a message resembling an invitation to a document, an invoice or a request for access to SharePoint resources. Upon clicking the link, they are redirected to a genuine Microsoft page at microsoft.com/devicelogin and asked to enter a device code. The problem is that the code has been previously generated by the attacker and is linked to their session. Once the user completes the login process and confirms two-factor authentication, they unwittingly grant the attacker access to their account.
“EvilTokens eliminates the warning signs we’ve learnt to recognise over the years. There’s no suspicious domain with a typo or a fake form, because the login page is genuine. From the victim’s perspective, the entire authentication process looks exactly as it should. This attack also undermines the sense of security provided by two-factor authentication. This second layer of protection is more important today than ever, but it won’t work if the victim personally approves an unauthorised session. “Here, the criminals aren’t bypassing 2FA with any technical trick; they’re simply persuading the victim to complete this step for them,” comments Kamil Sadkowski, a cybersecurity analyst at ESET.
Once they have taken over the session, cybercriminals can gain access to Outlook email, files on OneDrive, the Teams messaging app or SharePoint resources. This, in turn, paves the way for data theft or Business Email Compromise attacks, which involve using the compromised corporate email account to carry out further fraud.
Experts emphasise that organisations should restrict the ability to log in using device codes where it is not essential, monitor unusual logins and pay closer attention to the context of each authorisation request.
“Context is key here. Before approving any login, it is worth checking which application is requesting access and which account the request relates to. Being redirected to a genuine Microsoft website does not in itself guarantee that the request is secure. Therefore, any unexpected request to enter a device code should be treated as suspicious and reported to the IT or security department,” says Kamil Sadkowski, a cybersecurity analyst at ESET.
