The New Phishing Click: How OAuth Consent Bypasses MFA
The New Phishing Click: How OAuth Consent Bypasses MFA
19 May 2026
In February 2026, a phishing-as-a-service (PhaaS) platform called EvilTokens went live. Within five weeks, it had compromised more than 340 Microsoft 365 organizations across five countries.
The targets of the platform received a message asking them to enter a short code at microsoft.com/devicelogin and complete their normal MFA challenge, then walked away believing they had verified a