EvilTokens Phishing Campaign Exploits OAuth Consent to Evade MFA, Hits 340+ Microsoft 365 Tenants

In a rapidly evolving cyber threat landscape, a new phishing-as-a-service (PhaaS) platform named EvilTokens has compromised more than 340 Microsoft 365 organizations across five countries since its launch in February 2026. The sophisticated attacks bypass multi-factor authentication (MFA) by weaponizing the OAuth consent flow.

Victims receive a message instructing them to enter a short code at microsoft.com/devicelogin and complete their standard MFA challenge. Unknowingly, they grant OAuth consent to a malicious application, handing over access tokens that attackers can use to infiltrate email, cloud storage, and other connected services.

“This is a textbook example of attackers exploiting the trust users place in device authentication flows,” said Dr. Amanda Reyes, principal threat intelligence analyst at CyberGuard Labs. “The fact they bypass MFA makes it particularly dangerous because users feel secure after completing the second factor, when in reality the attacker now has persistent access.”

Background

OAuth consent phishing is not new, but EvilTokens marks a significant escalation in commoditized cybercrime. The platform offers a complete ecosystem for attackers, including customizable landing pages and token management, lowering the barrier for entry.

Traditional MFA is designed to prevent unauthorized access, but it cannot protect against threats that trick users into approving malicious OAuth apps. Once a user grants consent, the attacker obtains a refresh token that remains valid until explicitly revoked, often evading security tools that monitor login anomalies.

What This Means

Organizations must rethink their security posture around OAuth. Administrators should enforce consent policies that block high-risk apps, require admin approval for all third-party permissions, and conduct regular audits of granted tokens.

“This campaign shows that MFA is not a silver bullet,” warned Reyes. “User awareness training must include recognizing unexpected device login prompts, and companies should adopt conditional access policies that trigger additional verification when OAuth consent is requested.”

The five affected countries include the United States, United Kingdom, Germany, Canada, and Australia, though the list may expand as investigators trace the infrastructure. Microsoft has acknowledged the threat and recommends enabling the "Block user consent for apps" policy in Azure AD.

Security firms are closely monitoring EvilTokens for further evolution. The platform operates on a subscription model, with prices ranging from $50 to $200 per month depending on features, making enterprise-grade phishing tools accessible even to low-skilled attackers.