EvilTokens, a newly launched phishing-as-a-service platform, compromised over 340 Microsoft 365 organizations in just five weeks starting February 2026. The attack exploits a critical gap in OAuth authentication flows that bypasses multi-factor authentication entirely.
The attack works by tricking users into visiting microsoft.com/devicelogin and entering a code. Users then complete their normal MFA challenge as usual. However, the code actually grants the attacker an OAuth token that persists independently of the MFA verification. Once obtained, attackers gain persistent access to compromised accounts without needing passwords or additional authentication factors.
This represents a fundamental shift in phishing methodology. Traditional phishing targets credentials directly. EvilTokens targets the OAuth consent flow itself, which most organizations treat as a lower-risk authentication path. The device login flow, designed for headless systems and mobile apps, becomes an attack vector when users are socially engineered into participating unknowingly.
The threat actor infrastructure spans at least five countries, indicating sophisticated operational security and distribution networks. The rapid scale of 340 compromised organizations in under six weeks demonstrates both the effectiveness of the attack and its ease of deployment through the PhaaS model. Organizations using similar OAuth device flows face the same exposure.
The risk extends beyond immediate account compromise. OAuth tokens remain valid across sessions, allowing attackers to maintain persistent access even after users change passwords or reset their devices. Defenders cannot detect this activity through traditional MFA logs since the MFA challenge completes successfully from the user's perspective.
Organizations should implement conditional access policies that restrict OAuth consent for devices outside trusted networks. Educating users about legitimate versus suspicious device login requests is essential. Security teams should audit OAuth token usage and implement strict token lifetime policies. Microsoft 365 administrators should review device login activity and revoke suspicious tokens immediately.
This attack pattern likely influences future phishing campaigns