Phishing Service Bypasses Microsoft 365 MFA

A new phishing service is bypassing MFA on Microsoft 365 accounts by tricking users into authorizing malicious applications through a device login prompt.

A new phishing-as-a-service (PhaaS) platform called EvilTokens has compromised over 340 Microsoft 365 organizations since its launch in February 2026. The attack employs a sophisticated method that successfully bypasses multi-factor authentication (MFA). Victims receive a message instructing them to enter a code at the official `microsoft.com/devicelogin` URL. After entering the code, they complete their normal MFA challenge. This seemingly standard procedure tricks the user into granting OAuth consent to a malicious third-party application. Instead of just verifying a login, the user unknowingly gives the attacker's app persistent access to their account data, including emails and files.

This attack vector is particularly dangerous because it exploits user trust in legitimate domains and familiar security prompts. By using Microsoft's own infrastructure, the phishing attempt appears highly credible, making it difficult for even cautious users to detect. The core issue is the abuse of the OAuth consent grant process, which, once completed, provides attackers with an access token that doesn't require a password or repeated MFA checks. This highlights a critical security gap for organizations relying heavily on MFA as their primary defense. IT and security teams must now also focus on managing application permissions and educating employees about the risks of unexpected consent requests, as these attacks are becoming more common and accessible through PhaaS platforms.