Executive Summary
In February 2026, the phishing-as-a-service platform EvilTokens emerged, compromising over 340 Microsoft 365 organizations across five countries within five weeks. The attack exploited the OAuth device code authentication flow, tricking users into entering a short code at microsoft.com/devicelogin and completing their MFA challenge. Unbeknownst to them, this granted attackers valid refresh tokens with access to emails, files, calendars, and contacts, all without stealing passwords or bypassing MFA. This method effectively bypassed traditional identity defenses, as the OAuth consent screen has become an instinctive click for many users. (thehackernews.com)
The incident underscores a significant shift in phishing tactics, highlighting the exploitation of legitimate authentication processes to gain unauthorized access. As attackers increasingly leverage such methods, organizations must reassess their security protocols to address these evolving threats.
Why This Matters Now
The EvilTokens incident highlights the urgent need for organizations to reevaluate their security measures, as attackers are now exploiting legitimate authentication processes to bypass traditional defenses, including MFA.
Attack Path Analysis
Attackers used the EvilTokens phishing-as-a-service platform to trick users into granting OAuth consent, bypassing MFA and obtaining persistent access tokens. With these tokens, they accessed users' Microsoft 365 data, including emails, files, calendars, and contacts. The attackers maintained access without triggering traditional security alerts, allowing them to exfiltrate sensitive information over an extended period.
Kill Chain Progression
Initial Compromise
Description
Attackers sent phishing messages prompting users to enter a code at microsoft.com/devicelogin, leading them to grant OAuth consent.
MITRE ATT&CK® Techniques
Spearphishing Link
Steal Application Access Token
Use Alternate Authentication Material: Application Access Token
Valid Accounts
Account Manipulation
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Ensure that security policies and operational procedures for managing identification and authentication are documented, in use, and known to all affected parties.
Control ID: 6.4.3
NYDFS 23 NYCRR 500 – Multi-Factor Authentication
Control ID: 500.12
DORA – ICT Risk Management Framework
Control ID: Article 6
CISA ZTMM 2.0 – Identity and Access Management
Control ID: Identity Pillar
NIS2 Directive – Cybersecurity Risk Management Measures
Control ID: Article 21
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Financial Services
OAuth consent phishing bypasses MFA protections, enabling attackers to access sensitive financial data and customer accounts through legitimate Microsoft 365 authentication workflows.
Health Care / Life Sciences
EvilTokens platform compromises HIPAA-compliant environments by exploiting OAuth tokens, potentially exposing patient data despite multi-factor authentication and encrypted traffic controls.
Government Administration
Phishing-as-a-Service targeting Microsoft 365 environments threatens sensitive government operations, bypassing zero trust segmentation and established authentication policies through OAuth manipulation.
Information Technology/IT
IT sectors face elevated risk as OAuth consent attacks compromise cloud security fabrics and multi-cloud visibility controls, undermining enterprise security architectures.
Sources
- The New Phishing Click: How OAuth Consent Bypasses MFAhttps://thehackernews.com/2026/05/the-new-phishing-click-how-oauth.htmlVerified
- Inside an AI‑enabled device code phishing campaignhttps://www.microsoft.com/en-us/security/blog/2026/04/06/ai-enabled-device-code-phishing-campaign-april-2026/Verified
- EvilTokens abuses Microsoft device code flow for account takeovershttps://www.csoonline.com/article/4153742/eviltokens-abuses-microsoft-device-code-flow-for-account-takeovers.htmlVerified
- EvilTokens ramps up device code phishing targeting Microsoft 365 usershttps://www.helpnetsecurity.com/2026/03/31/eviltokens-phishing-microsoft-365/Verified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Aviatrix Zero Trust CNSF is pertinent to this incident as it enforces strict segmentation and identity-aware controls, which would likely limit unauthorized access and data exfiltration within cloud environments.
Control: Cloud Native Security Fabric (CNSF)
Mitigation: The CNSF would likely limit unauthorized access by enforcing strict identity-aware controls, reducing the risk of attackers obtaining OAuth consent through phishing.
Control: Zero Trust Segmentation
Mitigation: Zero Trust Segmentation would likely constrain attackers' ability to escalate privileges by enforcing least-privilege access, limiting the scope of accessible resources.
Control: East-West Traffic Security
Mitigation: East-West Traffic Security would likely limit lateral movement by monitoring and controlling internal traffic, reducing unauthorized access to additional resources.
Control: Multicloud Visibility & Control
Mitigation: Multicloud Visibility & Control would likely enhance detection of unauthorized access by providing comprehensive monitoring across cloud environments.
Control: Egress Security & Policy Enforcement
Mitigation: Egress Security & Policy Enforcement would likely limit data exfiltration by controlling outbound traffic and enforcing strict policies.
Implementing Aviatrix Zero Trust CNSF would likely reduce the overall impact by limiting the attacker's reach and containing potential breaches within segmented environments.
Impact at a Glance
Affected Business Functions
- Email Communication
- File Storage and Sharing
- Calendar Management
- Contact Management
Estimated downtime: 7 days
Estimated loss: $500,000
Unauthorized access to emails, files, calendars, and contacts of over 340 Microsoft 365 organizations across multiple countries.
Recommended Actions
Key Takeaways & Next Steps
- • Implement Zero Trust Segmentation to limit the scope of OAuth token permissions and reduce potential lateral movement.
- • Enhance Threat Detection & Anomaly Response capabilities to identify unusual OAuth consent grants and access patterns.
- • Enforce Egress Security & Policy Enforcement to monitor and control data exfiltration activities.
- • Utilize Multicloud Visibility & Control to gain comprehensive insights into OAuth token usage across cloud environments.
- • Educate users on the risks of OAuth consent phishing and promote cautious behavior when granting application permissions.
