The New Phishing Click: How OAuth Consent Bypasses MFA
Summary
A new phishing-as-a-service platform called EvilTokens launched in February 2026, rapidly compromising over 340 Microsoft 365 organizations. The platform uses a technique to bypass multi-factor authentication (MFA) by tricking users into consenting to OAuth applications after a seemingly legitimate device login process.
IFF Assessment
FOE
This article highlights a new and effective phishing technique that bypasses MFA, posing a significant threat to organizations and defenders.
Defender Context
Defenders need to be aware of OAuth consent phishing techniques, which can circumvent traditional MFA. Organizations should implement stricter controls around OAuth application approvals and educate users about these evolving social engineering tactics.