10 Critical Insights Into the EvilTokens OAuth Consent Phishing Attack

In February 2026, a new phishing-as-a-service (PhaaS) platform called EvilTokens emerged, swiftly compromising over 340 Microsoft 365 organizations across five countries within its first five weeks. This attack exploited a cunning technique: OAuth consent bypass combined with device code flow to circumvent even multi-factor authentication (MFA). Unlike traditional phishing, victims were tricked into entering a code at microsoft.com/devicelogin and completing their MFA challenge, believing they were verifying a legitimate request. In reality, they handed over access tokens to attackers. This listicle reveals ten critical things you need to know about this evolving threat, from how the attack works to its implications for security teams.

1. EvilTokens Is a Phishing-as-a-Service Platform

EvilTokens is a commercial PhaaS platform that provides cybercriminals with ready-made tools to launch OAuth consent phishing campaigns. It went live in February 2026 and saw rapid adoption, compromising more than 340 Microsoft 365 tenants across five countries (likely targeting English-speaking nations) in just five weeks. The service handles infrastructure, attack templates, and even token validation, lowering the barrier for entry-level attackers. Security researchers first identified EvilTokens through telemetry of anomalous device code authentication requests. Unlike simple credential harvesters, this platform focuses on stealing OAuth tokens, enabling persistent access without passwords.

2. It Bypasses Multi-Factor Authentication (MFA)

MFA is often touted as a silver bullet against account takeover, but EvilTokens demonstrates its limitations. The attack capitalizes on the OAuth 2.0 device authorization grant (device code flow), which was originally designed for input-constrained devices like smart TVs. In this flow, the user must enter a code on a separate device and authenticate with their credentials plus any MFA challenge. Because the user completes MFA on their own trusted device, the attacker merely obtains the resulting token—without needing to bypass MFA directly. This renders MFA ineffective because the user is authenticating voluntarily to a legitimate Microsoft URL (microsoft.com/devicelogin).

3. OAuth Consent Is the Real Target

Instead of stealing passwords, EvilTokens aims to obtain an OAuth access token and refresh token by tricking users into granting consent to a malicious app. The phishing message asks recipients to enter a short code at microsoft.com/devicelogin and then complete their regular MFA challenge. After that, the victim is presented with a consent screen for an app (masquerading as a legitimate service like Microsoft Teams or SharePoint). Once the user clicks “Accept,” the attacker’s app receives delegated permissions to the user’s mailbox, files, or other resources. The stolen tokens can then be used to access data even after the user changes their password.

4. The Attack Exploits the Device Code Grant Flow

The device code grant flow is an OAuth 2.0 authorization flow typically used by devices that lack a browser. The flow works in two steps: the device requests a code and a verification URI; the user then browses to that URI on a separate device, enters the code, and authenticates. In EvilTokens, the attacker initiates the flow on their machine, obtains a user code, and sends that code to the victim via email or chat. The victim visits microsoft.com/devicelogin, enters the code, logs in with MFA, and grants consent. The attacker then captures the resulting tokens. Microsoft did not design this flow for human-initiated phishing, but attackers have repurposed it.

5. Victims Believe They Are Verifying a Legitimate Request

Attackers craft the initial message to look like a routine security verification or software update notification. For example: “Your Microsoft account requires re-verification. Please enter the code 9A3B at microsoft.com/devicelogin.” The victim, seeing the legitimate Microsoft domain and being asked to complete MFA, feels confident they are protecting their account. In reality, they are authorizing an attacker-controlled application. After completing the process, the user gets a “success” page and walks away believing they have verified their identity—unaware that their tokens are now compromised.

6. The Attack Bypasses Conditional Access Policies

Many organizations deploy conditional access policies to block suspicious sign-ins—for example, requiring MFA from unknown locations or blocking non-compliant devices. However, EvilTokens can still bypass these policies. Because the user authenticates from their own device, network, and location, conditional access rules see a legitimate sign-in. The attacker never directly attempts to log in; they merely receive the tokens after the user completes authentication. Thus, even policies requiring device compliance or risk-based MFA are nullified. This makes the attack exceptionally stealthy and hard to detect with traditional sign-in anomaly detection.

7. It Enables Persistence via Refresh Tokens

EvilTokens does not just steal a one-time access token; it captures both the access token and a refresh token. Access tokens expire quickly (often within an hour), but refresh tokens can remain valid for up to 90 days. The attacker can use the refresh token silently to request new access tokens without the victim’s involvement. Even if the victim changes their password, the refresh token may remain valid unless explicitly revoked by an admin. This prolonged access allows attackers to stealthily exfiltrate data over weeks or months.

8. The Attack Targets Microsoft 365 Organizations Exclusively

EvilTokens is specifically designed to compromise Microsoft 365 tenants. The phishing messages mimic Microsoft’s branding, and the device code flow is supported by Azure AD/Microsoft Entra ID. The platform configures its malicious OAuth apps with permissions required to read email, access OneDrive files, or manage SharePoint. While the same technique could target other platforms supporting device code flow (like Google, AWS, or Salesforce), EvilTokens currently focuses on Microsoft 365 due to its widespread enterprise adoption and the high value of email and document data. Organizations using Microsoft 365 should consider this attack their top phishing threat.

9. Existing Defenses Are Insufficient Without Behavioral Monitoring

Standard email filters and user awareness training often fail against EvilTokens because there is no malicious link or attachment in the phishing email—just instructions to visit a legitimate Microsoft URL. Security tools that rely on URL reputation cannot block a known-good domain like microsoft.com/devicelogin. To detect this attack, organizations need behavioral monitoring of OAuth consent events: unusual app permissions, device code authentication without a corresponding device, or consent granted for high-privilege scopes. Microsoft has also introduced policies to block OAuth consent from untrusted apps, but many tenants remain unprotected.

10. Mitigation Requires a Multi-Layered Approach

Defending against EvilTokens and similar attacks involves several steps: (1) Disable the device code flow if not needed using Azure AD authentication methods policy. (2) Enable OAuth app consent policies to require admin approval for high-risk apps. (3) Monitor sign-in logs for device code authentication originating from suspicious IPs or geographies. (4) Use identity threat detection tools like Microsoft Defender for Identity to flag anomalous token usage. (5) Educate users to recognize that microsoft.com/devicelogin should only be used for their own devices, not for codes received via email. A combination of technical controls and user vigilance is essential.

Conclusion

EvilTokens illustrates a dangerous evolution in phishing: bypassing MFA by weaponizing OAuth consent and device code flow. Organizations that heavily rely on MFA as their sole defense are now vulnerable. The attack’s stealthiness, persistence through refresh tokens, and difficulty of detection mean that security teams must adopt a zero-trust mindset. By understanding these ten critical insights, you can better protect your Microsoft 365 environment from token theft. Stay vigilant, review your OAuth policies, and monitor for anomalous consent events.