EvilTokens PhaaS Kit Phishing Related Request - Proxy
Detects outbound web proxy requests to URLs matching the EvilTokens Phishing-as-a-Service (PhaaS) kit infrastructure. Specifically Cloudflare Workers and Railway.app domains used in OAuth device code authorization phishing attacks. This indicates a user has clicked a phishing link.
Sigma rule (View on GitHub)
1title: EvilTokens PhaaS Kit Phishing Related Request - Proxy
2id: e0e121d0-be4d-4281-af7e-17abbba4a408
3status: experimental
4description: |
5 Detects outbound web proxy requests to URLs matching the EvilTokens Phishing-as-a-Service (PhaaS) kit infrastructure.
6 Specifically Cloudflare Workers and Railway.app domains used in OAuth device code authorization phishing attacks.
7 This indicates a user has clicked a phishing link.
8references:
9 - https://blog.sekoia.io/new-widespread-eviltokens-kit-device-code-phishing-as-a-service-part-1/
10author: uniqu3-us3r
11date: 2026-04-28
12tags:
13 - attack.initial-access
14 - attack.t1566.002
15 - detection.emerging-threats
16logsource:
17 category: proxy
18detection:
19 selection:
20 c-uri|re: '-[a-z0-9]{3}\.[a-z0-9-]{3,}-s-account\.workers\.dev|\.up\.railway\.app'
21 condition: selection
22falsepositives:
23 - Legitimate use of Cloudflare Workers or Railway.app domains
24level: low
References
Related rules
- Axios NPM Compromise Indicators - Linux
- Axios NPM Compromise Indicators - Windows
- Axios NPM Compromise Indicators - macOS
- Commvault QLogin with PublicSharingUser and GUID Password (CVE-2025-57788)
- Potential CVE-2024-3400 Exploitation - Palo Alto GlobalProtect OS Command Injection