EvilTokens Phishing Platform Bypasses MFA in New Wave of Attacks

The Rise of EvilTokens

In February 2026, a new phishing-as-a-service (PhaaS) platform known as EvilTokens emerged, rapidly compromising more than 340 Microsoft 365 organizations across five countries within its first five weeks of operation. This sophisticated attack campaign highlights a growing trend in cybercrime: leveraging legitimate OAuth consent flows to bypass multi-factor authentication (MFA).

How the Attack Works

According to recent reports, victims receive a deceptive message instructing them to enter a short code at a legitimate Microsoft device login page (microsoft.com/devicelogin). After completing their normal MFA challenge, users believe they have successfully verified their identity. In reality, they have granted the attacker OAuth consent, allowing the adversary to access their accounts without needing to bypass MFA directly.

Implications for Security

This technique exploits the trust users place in standard authentication flows. By using a legitimate Microsoft URL and prompting users to complete MFA themselves, attackers avoid triggering security alerts. Once OAuth consent is granted, the attacker gains persistent access to the victim's Microsoft 365 resources, including emails, files, and collaboration tools.

Defending Against OAuth-Based Phishing

Organizations should educate users about the risks of entering codes on device login pages unless they initiated the process. Additionally, security teams should monitor for unusual OAuth consent grants and implement conditional access policies that restrict app permissions. Regular security awareness training can help users recognize such sophisticated phishing attempts.