The OAuth Consent Trap
A phishing-as-a-service platform named EvilTokens, which launched in February 2026, has successfully compromised more than 340 Microsoft 365 organizations across five countries in just five weeks. The attack method exploits a fundamental gap in identity security. Victims receive a message instructing them to enter a short code at microsoft.com/devicelogin and complete their standard multi factor authentication challenge. After doing so, users believe they have verified a routine sign in. In reality, they have granted the attacker a valid refresh token with access to their mailbox, drive, calendar, and contacts. This token persists according to tenant policy rather than expiring with the session.
The attacker never needs a password, never triggers an MFA prompt, and leaves no sign in event that resembles an intrusion. This form of attack, known as consent phishing or OAuth grant abuse, succeeds because users have been conditioned to click through OAuth consent screens without scrutiny. The critical security controls designed to stop credential phishing completely miss this tactic because they operate at a different layer of the identity stack.
Why MFA Cannot Stop This Threat
Traditional credential phishing requires the attacker to replay stolen credentials somewhere, and most identity systems now require a second factor during that replay. Even advanced adversary in the middle kits produce a session cookie tied to a sign in event that security information and event management tools can correlate against factors like geography, device patterns, and travel anomalies.
OAuth grant abuse produces no such replay. The user authenticates on the legitimate identity provider, completes the MFA challenge on the genuine domain, and clicks Accept. The token the attacker receives is the system functioning exactly as designed. It is signed by the identity provider, scoped to whatever permissions the user approved, and refreshable. MFA cannot block it because MFA has already occurred. The problem is compounded by the fact that refresh tokens often extend far beyond the original session, giving attackers persistent access that bypasses the security measures organizations trust most.
Source: The Hacker News
