Summary

The article discusses a new phishing-as-a-service (PhaaS) platform named EvilTokens, which exploits OAuth consent to bypass multi-factor authentication (MFA) in Microsoft 365. Within a short period, this platform has compromised numerous organizations across multiple countries.

Key Points

• EvilTokens is a phishing-as-a-service platform that launched in February 2026.
• It has compromised over 340 Microsoft 365 organizations within five weeks.
• The attack targets users by sending them a message to enter a code at microsoft.com/devicelogin.
• Victims complete their usual MFA challenge, unknowingly granting attackers access.
• The attack affects organizations across five different countries.

Analysis

The significance of EvilTokens lies in its ability to bypass MFA, a critical security measure, by exploiting OAuth consent. This highlights a growing trend where attackers are leveraging legitimate processes to gain unauthorized access, posing a significant threat to cloud-based services like Microsoft 365. The rapid spread and success of EvilTokens underscore the need for enhanced security measures beyond traditional MFA.

Conclusion

IT professionals should be vigilant about phishing attacks that exploit OAuth consent and consider implementing additional security layers, such as conditional access policies and user education, to mitigate these threats.