EvilTokens uses AES-GCM encrypted HTML and Microsoft Device Code Phishing to hide Microsoft 365 account takeover pages until browser render.

Talos details ARToken, a PhaaS panel tied to EvilTokens that supports device code phishing, BEC workflows, SharePoint theft, and PRT persistence.

EvilTokens uses AES-GCM encrypted HTML and Microsoft Device Code Phishing to hide Microsoft 365 account takeover pages until browser render.