The New Phishing Click: How OAuth Consent Bypasses MFA

In February 2026, a phishing-as-a-service (PhaaS) platform called EvilTokens went live. Within five weeks, it had compromised more than 340 Microsoft 365 organizations across five countries.

The targets of the platform received a message asking them to enter a short code at microsoft.com/devicelogin and complete their normal MFA challenge, then walked away believing they had verified a routine sign-in. They had actually handed the operator a valid refresh token scoped to their mailbox, drive, calendar, and contacts, with the lifespan of a tenant policy rather than a session.

The operator never needed a password, never tripped an MFA prompt, and never produced a sign-in event that looked like an intrusion. The attack succeeded because the OAuth consent screen has become an instinctive click, and the controls built to stop credential phishing do not look at the consent layer.

Security researchers call the resulting condition consent phishing or OAuth grant abuse. The phishing click that mattered last decade handed over a password. The phishing click that matters now hands over a refresh token, and it sits structurally below the identity controls most organizations still treat as the perimeter.

The New Phishing Click: How OAuth Consent Bypasses MFA

Other newsrooms on this story

Related reading

Modernizing Identity Security Beyond MFA

Other newsrooms on this story

Related reading

Modernizing Identity Security Beyond MFA

Tycoon2FA hijacks Microsoft 365 accounts via device-code phishing

Microsoft Authenticator: Critical vulnerability allows token theft

Microsoft Details Phishing Campaign Targeting 35,000 Users Across 26 Countries

Microsoft Phone Link abused to steal SMS OTPs from enterprise PCs

From Phishing to Recovery: Breaking the Ransomware Attack Chain