In February 2026, a phishing-as-a-service platform called EvilTokens compromised over 340 Microsoft 365 organizations. Learn how OAuth consent phishing bypasses MFA and how to protect yourself.
In February 2026, a phishing-as-a-service (PhaaS) platform called EvilTokens went live. Within five weeks, it had compromised more than 340 Microsoft 365 organizations across five countries. That's not just a headline. It's a wake-up call for anyone who thinks multi-factor authentication (MFA) makes them invincible.
The targets of the platform received a message asking them to enter a short code at microsoft.com/devicelogin and complete their normal MFA challenge. Then they walked away, believing they had verified a legitimate login. But here's the kicker: they had just handed over their credentials and granted OAuth consent to a malicious app. This is the new phishing click.
### What Is OAuth Consent Phishing?
OAuth consent phishing is a sneaky attack where hackers trick you into granting permissions to a fake app. Instead of stealing your password directly, they ask you to approve access to your data through a legitimate-looking OAuth prompt. You think you're logging in securely, but you're actually authorizing an attacker to read your emails, access your files, or even send messages on your behalf.
This matters because it bypasses MFA entirely. You complete your two-factor authentication step, feeling safe, while the attacker gets a token that works without needing your password again. It's like giving someone a key to your house after they've already picked the lock.
### How EvilTokens Exploits Trust
EvilTokens operates as a service, meaning even low-skill attackers can use it. The platform automates the creation of malicious OAuth apps that mimic Microsoft 365's login flow. Victims receive a carefully crafted email or message that looks urgent, like a request to approve a new device or verify a sign-in.
Here's what happens step by step:
- You click a link that takes you to a fake Microsoft login page.
- You enter your username and password.
- You complete your MFA challenge, like a code from your phone.
- You see an OAuth consent screen asking for permissions to access your account.
- You click "Accept," thinking it's part of the process.
- The attacker now has a token that lets them access your data without triggering any alarms.
This attack is dangerous because it doesn't rely on malware or exploiting vulnerabilities. It exploits human trust and the complexity of OAuth permissions.
### Why MFA Alone Doesn't Cut It
Most people believe MFA is the gold standard for security. And it is, for password-based attacks. But OAuth consent phishing sidesteps it completely. You're not giving away your password; you're giving away access. The MFA challenge you completed was real, but it was for the wrong purpose.
Think of it like this: you lock your front door (MFA), but then you open a window for someone who asks nicely (OAuth consent). The lock didn't fail. You did.
### How to Protect Your Organization
Defending against OAuth consent phishing requires a shift in mindset. Here are practical steps you can take:
- **Review OAuth permissions regularly**: Use tools to audit which third-party apps have access to your organization's data. Revoke any that look suspicious or unnecessary.
- **Educate your team**: Train employees to recognize OAuth consent screens. They should never approve permissions for an app they didn't request.
- **Restrict app permissions**: In Microsoft 365, you can block users from consenting to apps from untrusted publishers. This adds a layer of control.
- **Monitor for unusual activity**: Watch for signs of token theft, like unexpected logins from new devices or locations.
- **Use conditional access policies**: Require additional verification for high-risk actions, like granting OAuth permissions.
### The Future of Phishing
EvilTokens is just one example of how phishing is evolving. Attackers are moving away from stealing passwords and toward stealing tokens. As more companies adopt MFA, expect OAuth consent phishing to become the new norm.
The key takeaway is simple: don't trust every prompt you see. Even if you complete MFA, take a moment to ask yourself: "Did I actually request this?" If the answer is no, don't click accept.
Stay sharp, stay skeptical, and keep your defenses up.
