NOIRLEGACY GROUP

NOIRLEGACY GROUP is a threat actor or operator identity referenced as the Telegram channel on which the phishing-as-a-service platform EvilTokens was first advertised, with the first public post appearing on February 16. Supporting content links EvilTokens to a large-scale phishing campaign targeting Microsoft 365 accounts across at least 340 organizations in the United States, Canada, Australia, New Zealand, and Germany. The campaign abused Microsoft's legitimate OAuth device authorization flow by tricking victims into entering attacker-supplied device codes on Microsoft's real login page, enabling attackers to obtain access tokens that could persist for up to 90 days and effectively bypass the practical protection of MFA. Huntress traced the activity to infrastructure hosted on Railway.com and assessed that EvilTokens provided capabilities including an Office 365 Capture Link, B2B Sender, SMTP Sender, AI-assisted phishing lure generation and email-filter evasion, and open redirect links on vulnerable domains to mask phishing destinations. The lures impersonated construction bid proposals, DocuSign and secure documents, missing voicemails, and employee benefit updates. The content does not provide high-confidence attribution of NOIRLEGACY GROUP to a specific country, nation-state sponsor, or broader alias set beyond the provided name.