“EvilTokens” Turns BEC into an AI-Driven Assembly Line - Microsoft 365 Under Siege

In the shadowy corners of Telegram, a new cybercrime factory is churning out business email compromise (BEC) attacks with unprecedented speed and precision. Dubbed “EvilTokens,” this Phishing-as-a-Service (PhaaS) operation isn’t just selling phishing kits - it’s weaponizing stolen Microsoft 365 tokens and artificial intelligence to democratize BEC for even the least sophisticated criminals. The result? A conveyor belt of AI-crafted scams targeting organizations worldwide, all at the click of a button.

The BEC Factory Floor: How EvilTokens Works

EvilTokens is not your average phishing kit. Its ecosystem is a slick, almost corporate operation: a main Telegram account handles support, while bots coordinate payments, affiliate management, and landing page deployment. For a few hundred to a couple thousand dollars, aspiring attackers can buy a “B2B sender,” an “Office 365 capture link” (the main phishing kit), or an SMTP sender.

The real innovation lies in the “Portal Browser” (also called “ET Browser”), a specialized tool that lets criminals open and control dozens of Microsoft 365 accounts simultaneously using stolen OAuth tokens. This isn’t just about logging in - it’s about maintaining persistent, automated access to email, files, and even Teams chats, bypassing passwords and multi-factor authentication entirely.

Once a victim is hooked via device-code phishing, EvilTokens’ backend exchanges the captured tokens for maximum access, then uses Microsoft’s Graph API to map out the victim’s digital terrain: mailbox rules, financial folders, org charts, and more. This intelligence is piped into a custom AI analysis chain. The first stage ingests thousands of emails to flag financial risks and key contacts. The second stage, powered by an even larger language model, synthesizes this data into risk reports and drafts three custom BEC lures - ready to be fired off from the compromised account. Non-English emails? No problem; the AI auto-translates them into English, erasing language barriers for global attackers.

All results, including fresh tokens and one-click browser access, are delivered to attackers via Telegram, turning what was once a manual, time-consuming crime into a near-instant, assembly-line process. According to Sekoia’s Threat Detection & Research team, EvilTokens is the first PhaaS to fully integrate AI-driven post-compromise tooling, signaling a shift in the BEC threat landscape.

What’s Next for Defenders?

With EvilTokens, the skill barrier for launching sophisticated BEC attacks is lower than ever. Security teams can expect smarter, faster, and more convincing scams - crafted at industrial scale. The message is clear: organizations must urgently tighten token security, monitor API activity, and enhance anomaly detection in their mailboxes. As cybercrime syndicates embrace AI, defenders are left racing to catch up in a game that’s getting deadlier by the day.

WIKICROOK

• Phishing: Phishing is a cybercrime where attackers send fake messages to trick users into revealing sensitive data or clicking malicious links.
• Business Email Compromise (BEC): Business Email Compromise (BEC) is a scam where criminals hack or impersonate business emails to trick companies into sending money to fraudulent accounts.
• OAuth Token: An OAuth token is a digital key that lets apps securely access your data without needing your password each time.
• Microsoft Graph API: Microsoft Graph API is a modern interface that lets apps securely connect to and manage data across Microsoft 365 cloud services.
• Device: A device is any hardware, like a phone or computer, that connects to networks and may store credentials or sensitive data for security purposes.