EvilTokens PhaaS Kit Phishing Related Request - Proxy

Detects outbound web proxy requests to URLs matching the EvilTokens Phishing-as-a-Service (PhaaS) kit infrastructure. Specifically Cloudflare Workers and Railway.app domains used in OAuth device code authorization phishing attacks. This indicates a user has clicked a phishing link.

Sigma rule (View on GitHub)

 1title: EvilTokens PhaaS Kit Phishing Related Request - Proxy
 2id: e0e121d0-be4d-4281-af7e-17abbba4a408
 3status: experimental
 4description: |
 5    Detects outbound web proxy requests to URLs matching the EvilTokens Phishing-as-a-Service (PhaaS) kit infrastructure.
 6    Specifically Cloudflare Workers and Railway.app domains used in OAuth device code authorization phishing attacks.
 7    This indicates a user has clicked a phishing link.    
 8references:
 9    - https://blog.sekoia.io/new-widespread-eviltokens-kit-device-code-phishing-as-a-service-part-1/
10author: uniqu3-us3r
11date: 2026-04-28
12tags:
13    - attack.initial-access
14    - attack.t1566.002
15    - detection.emerging-threats
16logsource:
17    category: proxy
18detection:
19    selection:
20        c-uri|re: '-[a-z0-9]{3}\.[a-z0-9-]{3,}-s-account\.workers\.dev|\.up\.railway\.app'
21    condition: selection
22falsepositives:
23    - Legitimate use of Cloudflare Workers or Railway.app domains
24level: low

References

Related rules

to-top