EvilTokens phishing used OAuth grants to bypass MFA

EvilTokens, a phishing-as-a-service platform that launched in February 2026, used microsoft.com/devicelogin prompts to collect OAuth refresh tokens and compromised more than 340 Microsoft 365 tenants across five countries within five weeks. Operators sent messages asking recipients to enter a short code at microsoft.com/devicelogin and complete their routine multifactor authentication step. After users authenticated on the legitimate identity provider and clicked Accept, attackers obtained signed refresh tokens scoped to mailbox, drive, calendar and contacts.

Attackers did not need passwords and did not produce conventional sign-in events that many security systems flag. The refresh tokens were refreshable and persisted according to tenant token policies rather than a single sign-in session. Because the token allowed access without a new sign-in, multifactor controls did not trigger on reuse and many security information and event management tools did not treat the activity as an intrusion.

In the incidents linked to EvilTokens, tokens survived password resets and remained valid for weeks or months unless explicitly revoked or a conditional access policy required re-consent. Security researchers describe the pattern as consent phishing or OAuth grant abuse, where a consent click hands a valid token to an attacker instead of credentials that must be replayed.

Security practitioners point to the frequency of consent requests as a factor in the threat. AI assistants, workplace integrations and browser extensions regularly prompt users to authorize access to accounts. Consent language can differ from technical reach: a scope labeled “Read your mail” can allow access to all messages and attachments a user can reach, and a scope described as “access when you are not present” typically denotes long-lived access that cannot be revoked in real time by a user.

Risk increases when a single identity holds approvals across multiple applications. An employee who authorizes a meeting summarizer for calendar and mail, a productivity tool for shared drives and a CRM add-on for customer records can create a chain of access that no individual application owner approved. Security teams refer to these intersections as toxic combinations because they let an attacker move between systems via the same identity.

Incidents have shown how connectors can propagate access across tenants. In 2025 a compromised downstream integration spread access to more than 700 Salesforce tenants by using OAuth tokens customers had legitimately approved.

To reduce exposure, security practitioners recommend maintaining a continuous inventory of third-party applications that hold refresh tokens, surfacing tokens older than 30 days for re-consent, identifying identities with grants across multiple SaaS applications, and applying conditional access policies that trigger on consent events as well as sign-ins. They also advise playbooks that revoke individual OAuth tokens rather than suspending user accounts to remove access more quickly.

Experts note that OAuth consent abuse uses standard protocol behavior combined with routine user actions, and that increased visibility, monitoring and token-level revocation are cited in current defensive guidance.