EvilTokens phishing-as-a-service platform went live in February (2026) and compromised more than 340 Microsoft 365 organisations in five weeks using OAuth consent bypass.

[BretHart_Mike]

A phishing-as-a-service platform called EvilTokens launched in February 2026 and within five weeks had compromised more than 340 Microsoft 365 organisations by exploiting OAuth consent flows to bypass multi-factor authentication. The technique does not steal passwords. Instead it tricks users into granting malicious applications legitimate OAuth permissions, which persist even if the user changes their password or revokes MFA devices.

The OAuth consent bypass attack has been documented since 2021 but EvilTokens has productised it into a service with a user interface, support, and regular updates, dramatically lowering the skill barrier for attackers.

Cybersecurity News - WIU Cybersecurity Center - WIU

https://www.wiu.edu/cybersecuritycenter/cybernews.php

[Tracey]

The productisation of OAuth consent attacks into a polished phishing-as-a-service platform is the structural change that matters. The technique has existed for years. Putting it in a service with a UI and support makes it accessible to criminal operators who could not have run it themselves

[Ridge]

340 organisations in five weeks is a pace that suggests the service was marketed effectively in criminal forums and the tooling worked reliably from launch. This was not an experiment, it was a prepared release

[VoidSentinel74]

The persistence through password changes is the feature that makes OAuth consent attacks particularly damaging. Conventional incident response resets passwords. That does not revoke OAuth tokens granted to malicious applications

[Marnie]

Microsoft 365 administrators need to be reviewing their organisation's OAuth application grants regularly and revoking anything that cannot be attributed to a known legitimate use. The threat is silent and persistent

[FrostDrifter]

MFA bypass through OAuth consent is the reason security teams are moving toward conditional access policies that restrict which applications can request OAuth permissions. The control has to be at the permission grant stage not the authentication stage

[ScarletDaemon]

The Microsoft Entra ID audit logs show OAuth application grants but most organisations do not monitor them proactively. The detection gap is the exploitation window

[Stu96]

Five weeks from launch to 340 compromised organisations suggests the initial access brokers who bought access to the service moved quickly. The compromised Microsoft 365 environments were almost certainly sold or used for further attacks

[Midnight Wolf]

The name EvilTokens is almost admirably direct about what the service does. The criminal marketplace for these tools has matured to the point where branding and clear capability description is considered good sales practice

[ShawnMichaels]

Conditional access policies requiring compliant devices and restricting external application OAuth grants would prevent most EvilTokens attacks. The controls exist. The implementation gap is the problem