How a Single KQL Query Stopped an Entire EvilTokens Phishing Campaign

An AI-powered PhaaS campaign leaned on legit-vendor redirects and device-code phishing — but spoofing left a fingerprint. One KQL query plus a 5-minute MDE automation loop neutralized over 1,200 malicious emails in 48 hours.

June 11, 2026 · 4 min · Matt Swann