May 19
/
Latest News
New OAuth‑Based Phishing Platform “EvilTokens” Compromises 340+ Microsoft 365 Organizations
A newly emerged phishing‑as‑a‑service (PhaaS) platform called EvilTokens has compromised more than 340 Microsoft 365 organizations across five countries within just five weeks of its launch in February 2026.
The campaign represents one of the most significant real‑world demonstrations of OAuth grant abuse, a growing attack vector that bypasses traditional identity defenses. Victims received a message prompting them to enter a short code at microsoft.com/devicelogin and complete their normal MFA challenge.
Believing they were verifying a routine sign‑in, users unknowingly approved an OAuth consent request that handed attackers a valid refresh token with access to mail, files, calendars, and contacts. No password was stolen, no MFA prompt was bypassed, and no suspicious sign‑in event appeared.
Security researchers warn that this form of consent phishing sits “below the identity perimeter,” exploiting the fact that users now instinctively click through consent screens. The resulting tokens persisted for weeks or months—even surviving password resets—until explicitly revoked.
The report also highlights the growing danger of toxic combinations, where multiple legitimate SaaS integrations create unintended cross‑application access paths that no single owner can see. Incidents like the 2025 Salesloft‑Drift cascade, which spread across 700+ Salesforce tenants, show how quickly these bridges can amplify risk.
Experts say closing the gap requires treating OAuth consent with the same rigor as authentication: continuous inventory of third‑party apps, re‑consent policies, token‑level revocation, and visibility into AI agents and integrations forming new trust relationships at runtime.
Emerging AI security platforms, such as Reco, now map these grants in real time to expose hidden bridges and revoke compromised tokens before they spread.
As phishing‑resistant authentication improves, researchers warn that attackers will increasingly pivot to the consent layer—an area still operating largely on trust and user habit.
The campaign represents one of the most significant real‑world demonstrations of OAuth grant abuse, a growing attack vector that bypasses traditional identity defenses. Victims received a message prompting them to enter a short code at microsoft.com/devicelogin and complete their normal MFA challenge.
Believing they were verifying a routine sign‑in, users unknowingly approved an OAuth consent request that handed attackers a valid refresh token with access to mail, files, calendars, and contacts. No password was stolen, no MFA prompt was bypassed, and no suspicious sign‑in event appeared.
Security researchers warn that this form of consent phishing sits “below the identity perimeter,” exploiting the fact that users now instinctively click through consent screens. The resulting tokens persisted for weeks or months—even surviving password resets—until explicitly revoked.
The report also highlights the growing danger of toxic combinations, where multiple legitimate SaaS integrations create unintended cross‑application access paths that no single owner can see. Incidents like the 2025 Salesloft‑Drift cascade, which spread across 700+ Salesforce tenants, show how quickly these bridges can amplify risk.
Experts say closing the gap requires treating OAuth consent with the same rigor as authentication: continuous inventory of third‑party apps, re‑consent policies, token‑level revocation, and visibility into AI agents and integrations forming new trust relationships at runtime.
Emerging AI security platforms, such as Reco, now map these grants in real time to expose hidden bridges and revoke compromised tokens before they spread.
As phishing‑resistant authentication improves, researchers warn that attackers will increasingly pivot to the consent layer—an area still operating largely on trust and user habit.
Executive IT Forums, Inc.
Educational Programs on Information Technology, Governance, Risk Management, & Compliance (GRC).
Our Newsletter
Get regular updates on CPE programs, news, and more.
Thank you!
Copyright © 2026 Executive IT Forums, Inc. All Rights Reserved.
Get started
Let us introduce our school
Write your awesome label here.