Gbuck12DocsTechnology
Related
7 Key Improvements to GitHub Enterprise Server Search Architecture for High AvailabilityWhat You Need to Know About Allocating on the Stack7 Reasons Microsoft Tops the IDC MarketScape for API Management in 2026How to Avoid Project Delays: Applying Brooks' Law and Conceptual Integrity5 Key Breakthroughs in Manufacturing Mobile Qubits for Quantum ComputingTesla's Actually Smart Summon Gets 33% Faster in Latest FSD Update: What It Means for DriversBreaking: Feature Flags Eliminate Need for Costly A/B Testing Platforms, Experts SayConsensus 2026: How Wall Street Transformed Crypto’s Premier Conference into a Corporate Showcase

EvilTokens Phishing Campaign Exploits OAuth Consent to Evade MFA, Hits 340+ Microsoft 365 Tenants

Last updated: 2026-05-19 22:23:23 · Technology

In a rapidly evolving cyber threat landscape, a new phishing-as-a-service (PhaaS) platform named EvilTokens has compromised more than 340 Microsoft 365 organizations across five countries since its launch in February 2026. The sophisticated attacks bypass multi-factor authentication (MFA) by weaponizing the OAuth consent flow.

Victims receive a message instructing them to enter a short code at microsoft.com/devicelogin and complete their standard MFA challenge. Unknowingly, they grant OAuth consent to a malicious application, handing over access tokens that attackers can use to infiltrate email, cloud storage, and other connected services.

“This is a textbook example of attackers exploiting the trust users place in device authentication flows,” said Dr. Amanda Reyes, principal threat intelligence analyst at CyberGuard Labs. “The fact they bypass MFA makes it particularly dangerous because users feel secure after completing the second factor, when in reality the attacker now has persistent access.”

Background

OAuth consent phishing is not new, but EvilTokens marks a significant escalation in commoditized cybercrime. The platform offers a complete ecosystem for attackers, including customizable landing pages and token management, lowering the barrier for entry.

EvilTokens Phishing Campaign Exploits OAuth Consent to Evade MFA, Hits 340+ Microsoft 365 Tenants
Source: feeds.feedburner.com

Traditional MFA is designed to prevent unauthorized access, but it cannot protect against threats that trick users into approving malicious OAuth apps. Once a user grants consent, the attacker obtains a refresh token that remains valid until explicitly revoked, often evading security tools that monitor login anomalies.

EvilTokens Phishing Campaign Exploits OAuth Consent to Evade MFA, Hits 340+ Microsoft 365 Tenants
Source: feeds.feedburner.com

What This Means

Organizations must rethink their security posture around OAuth. Administrators should enforce consent policies that block high-risk apps, require admin approval for all third-party permissions, and conduct regular audits of granted tokens.

“This campaign shows that MFA is not a silver bullet,” warned Reyes. “User awareness training must include recognizing unexpected device login prompts, and companies should adopt conditional access policies that trigger additional verification when OAuth consent is requested.”

The five affected countries include the United States, United Kingdom, Germany, Canada, and Australia, though the list may expand as investigators trace the infrastructure. Microsoft has acknowledged the threat and recommends enabling the "Block user consent for apps" policy in Azure AD.

Security firms are closely monitoring EvilTokens for further evolution. The platform operates on a subscription model, with prices ranging from $50 to $200 per month depending on features, making enterprise-grade phishing tools accessible even to low-skilled attackers.