In early 2026, a new phishing-as-a-service (PhaaS) platform called EvilTokens emerged, targeting Microsoft 365 organizations with a clever twist. Instead of stealing passwords directly, it exploits OAuth consent and device login flows to bypass multi-factor authentication (MFA). Within five weeks, over 340 organizations across five countries were compromised. Here are answers to common questions about this evolving threat.
What is EvilTokens and how does it work?
EvilTokens is a phishing-as-a-service platform launched in February 2026. It targets Microsoft 365 users by sending deceptive messages that ask them to enter a short code at microsoft.com/devicelogin. This is a legitimate Microsoft device login page used for signing into apps on devices without a browser. After entering the code, victims complete their normal MFA challenge—such as a push notification or TOTP code. Unknowingly, they grant OAuth consent to a malicious application controlled by attackers. This consent allows the attacker to access the user's email, files, and other resources without needing the user's password or bypassing MFA again.
Why does EvilTokens bypass multi-factor authentication?
Traditional phishing attempts to steal credentials, which MFA can block if the second factor is required. EvilTokens, however, does not steal passwords. Instead, it tricks users into completing a legitimate OAuth consent flow. The user enters a code at a real Microsoft page, authenticates with MFA, and then approves an app request. The attacker receives an OAuth access token that is tied to that user's session. Since the token was generated during a fully authenticated MFA session, it is valid for accessing resources without further MFA prompts. Essentially, the user provides the token willingly, making MFA irrelevant once the consent is granted.
How many organizations were compromised by EvilTokens?
According to reports, EvilTokens compromised more than 340 Microsoft 365 organizations in just five weeks after its launch. These attacks spanned across five countries, affecting a diverse range of industries. The rapid spread highlights how effective the platform's phishing-as-a-service model is, enabling attackers with low technical skills to deploy highly convincing campaigns. The actual number may be higher, as not all incidents are immediately detected or reported. Security researchers are still analyzing logs to identify all victims.
What is phishing-as-a-service (PhaaS)?
Phishing-as-a-service (PhaaS) is a cybercrime business model where developers create sophisticated phishing toolkits and lease them to other criminals. Customers pay a subscription fee, often in cryptocurrency, to launch phishing campaigns without needing technical expertise. Platforms like EvilTokens provide pre-built pages, automated email campaigns, and even dashboards to track stolen credentials or tokens. This commoditization has lowered the barrier to entry for cybercrime, leading to an increase in targeted attacks. PhaaS platforms often update their techniques to evade detection, making them a persistent threat for organizations.
How can organizations protect against OAuth consent phishing like EvilTokens?
Defending against OAuth consent attacks requires a multi-layered approach. First, enable conditional access policies that block risky consent requests, such as those from unknown publishers. Use Microsoft Defender for Cloud Apps to monitor OAuth app permissions and revoke suspicious grants. Educate users to recognize phishing lures that ask them to visit microsoft.com/devicelogin and approve unknown apps. Enforce admin-only consent where users cannot grant consent to third-party apps without IT approval. Regularly audit OAuth applications in your tenant. Also, consider blocking the device login flow entirely if not needed for legitimate purposes, or restrict it to specific IP ranges.
What should an organization do if they suspect an OAuth token was stolen?
If you suspect that an EvilTokens or similar attack has compromised an account, act quickly. First, invalidate all existing OAuth tokens and refresh tokens for the affected user. This can be done through the Azure AD portal by revoking sessions and removing app consents. Reset the user's password even though the token is the primary vector. Audit the user's mailbox and files for unauthorized access or data exfiltration. Use Microsoft 365 audit logs to identify which apps were granted consent and when. Consider enabling multi-factor authentication again, but understand that the token bypasses MFA until revoked. Finally, report the incident to your security team and consider engaging a threat intelligence service to determine if the attacker used the token elsewhere.