In February 2026, the phishing-as-a-service (PhaaS) platform EvilTokens emerged, rapidly compromising more than 340 Microsoft 365 organizations across five countries within just five weeks. The platform employs a novel tactic that leverages OAuth consent flows to bypass multi-factor authentication (MFA). Victims received messages instructing them to enter a short code at microsoft.com/devicelogin, leading them to believe they were completing a legitimate MFA challenge. This method not only demonstrates the evolving sophistication of phishing attacks but also highlights the vulnerabilities inherent in widely adopted security protocols like MFA.
For businesses, this development underscores the necessity of enhancing security measures beyond traditional MFA systems. Organizations must educate employees about the signs of phishing attempts and consider implementing additional layers of security, such as contextual access controls and enhanced monitoring of authentication requests. This situation is particularly concerning for cybersecurity and AI sectors, as it emphasizes the ongoing arms race between threat actors and security professionals. As phishing techniques become more advanced, companies must stay vigilant and proactive in their defense strategies to mitigate the risks associated with these evolving tactics.
---
*Originally reported by [The Hacker News](https://thehackernews.com/2026/05/the-new-phishing-click-how-oauth.html)*