Microsoft 365 Organizations Hit by EvilTokens Phishing-as-a-Service

/MEDIUM
Written by SCW Vulnerability Desk Vulnerability Intelligence
SCW threat-intelvulnerabilitymicrosoftidentityphishing
Microsoft 365 Organizations Hit by EvilTokens Phishing-as-a-Service

A new phishing-as-a-service (PhaaS) platform, EvilTokens, emerged in February 2026, rapidly compromising over 340 Microsoft 365 organizations across five countries within its first five weeks, according to The Hacker News. This platform leverages a sophisticated OAuth consent bypass technique, effectively neutralizing multi-factor authentication (MFA).

The attack vector, as detailed by The Hacker News, involves deceiving targets into entering a short code at microsoft.com/devicelogin and completing their standard MFA challenge. Unbeknownst to the user, this action grants EvilTokens access to their Microsoft 365 environment by approving a malicious OAuth application, circumventing the intended security benefits of MFA.

This isn’t just another phishing campaign; it’s a strategic bypass of a fundamental security control. Defenders need to understand that even with robust MFA in place, users remain the weakest link if they are tricked into approving malicious applications. The attacker’s calculus here is clear: target the user’s trust in familiar login flows to gain persistent access, rendering traditional MFA less effective against this specific vector.

What This Means For You

  • If your organization uses Microsoft 365, you are a direct target. This attack vector exploits user trust to bypass MFA, not technical vulnerabilities in MFA itself. You must educate users about OAuth consent screens and the dangers of approving unknown applications, even after completing an MFA challenge. Implement Conditional Access policies to restrict OAuth application consent to pre-approved applications only. Regularly audit granted application permissions in your Microsoft 365 tenant and revoke any suspicious or unneeded OAuth app consents immediately.

Related ATT&CK Techniques

T1539 OAuth Access Token Initial Access T1078.004 Cloud Accounts Initial Access T1649 Steal or Forge Tokens Initial Access

Written by SCW Vulnerability Desk

Take action on this incident
📡 Monitor microsoft.com Free · 1 watchlist slot · instant alerts on new breaches 🔍 Threat intel on Microsoft All breaches, IOCs & vendor exposure

Related coverage on Microsoft

Microsoft Open-Sources RAMPART and Clarity for AI Agent Security

Microsoft has released two new open-source tools, RAMPART and Clarity, designed to enhance the security testing of AI agents during development. According to The Hacker...

threat-intelvulnerabilitymicrosoftai-securitytools
/SCW Vulnerability Desk /HIGH /⚑ 2 IOCs

AI-Powered Attacks Accelerate Mobile App Exploitation

Agentic AI is fundamentally reshaping the mobile application threat landscape, according to a recent report highlighted by SecurityWeek. This advanced AI capability has effectively eliminated...

threat-intelvulnerabilitytools
/SCW Vulnerability Desk /MEDIUM

Microsoft Disrupts Fox Tempest Malware-Signing-as-a-Service

Microsoft has successfully disrupted a sophisticated malware-signing-as-a-service (MSaaS) operation. The Hacker News reports this scheme, attributed to a threat actor dubbed Fox Tempest, weaponized Microsoft's...

threat-intelvulnerabilitymalwareransomwaremicrosoft
/SCW Vulnerability Desk /MEDIUM /⚑ 3 IOCs