Full Report
In February 2026, a phishing-as-a-service (PhaaS) platform called EvilTokens went live. Within five weeks, it had compromised more than 340 Microsoft 365 organizations across five countries. The targets of the platform received a message asking them to enter a short code at microsoft.com/devicelogin and complete their normal MFA challenge, then walked away believing they had verified a
Analysis Summary
# Incident Report: EvilTokens Phishing-as-a-Service Campaign
## Executive Summary
In early 2026, a Phishing-as-a-Service (PhaaS) platform named "EvilTokens" launched a widespread campaign utilizing OAuth device code phishing. By bypassing traditional MFA and password-based security, the platform compromised over 340 Microsoft 365 organizations globally within five weeks. The campaign exploited "consent phishing" to obtain long-lived refresh tokens, allowing persistent access to sensitive corporate data without triggering standard sign-in alerts.
## Incident Details
- **Discovery Date:** March 2026 (Reported by CSA)
- **Incident Date:** February 2026 – Ongoing
- **Affected Organizations:** 340+ Microsoft 365 tenants
- **Sector:** Cross-sector (General enterprise)
- **Geography:** 5 Countries (Global)
## Timeline of Events
### Initial Access
- **Date/Time:** February 2026
- **Vector:** OAuth Device Code Flow Phishing
- **Details:** Attackers sent messages instructing users to visit the legitimate `microsoft[.]com/devicelogin` page and enter a short code. Users performed a standard MFA challenge on the legitimate Microsoft domain, unknowingly authorizing a malicious application.
### Lateral Movement
- **Mechanism:** Token-based access. Because the platform obtained refresh tokens, attackers did not need to move laterally via traditional credential theft; instead, they leveraged the scopes granted by the user (Mail, Drive, Calendar, Contacts) to access data across the suite.
### Data Exfiltration/Impact
- **Details:** Access was gained to mailboxes (messages/attachments), shared drives, and contact lists. The tokens were "scoped to the tenant policy," meaning access persisted long after the initial session and survived password resets.
### Detection & Response
- **Detection:** Identified by security researchers as a "consent phishing" trend where MFA was not a deterrent.
- **Response Actions:** Explicit revocation of OAuth grants and implementation of Conditional Access policies requiring re-consent.
## Attack Methodology
- **Initial Access:** OAuth Grant Abuse (Consent Phishing).
- **Persistence:** High-privilege Refresh Tokens that survive password changes.
- **Privilege Escalation:** Not required; attackers request scopes (e.g., `Read your mail`) that provide sufficient access immediately.
- **Defense Evasion:** Use of legitimate Microsoft infrastructure (`microsoft[.]com/devicelogin`) to bypass URL filters and MFA. No "failed login" events are generated.
- **Credential Access:** Token theft (specifically OAuth Refresh Tokens).
- **Discovery:** Mapping user access to "Toxic Combinations" of interconnected SaaS apps.
- **Impact:** Long-term unauthorized data access.
## Impact Assessment
- **Financial:** High potential cost due to undetected data exfiltration and business email compromise (BEC).
- **Data Breach:** Exposure of emails, attachments, calendar entries, and files across 340+ organizations.
- **Operational:** Low immediate disruption, but high long-term risk of espionage or further extortion.
- **Reputational:** Loss of trust in identity perimeters and MFA efficacy.
## Indicators of Compromise
- **Network:** Connections to the EvilTokens PhaaS backend (URLs often change).
- **Behavioral:**
- Users visiting `microsoft[.]com/devicelogin` without a valid business reason.
- New Enterprise Applications registered in M365 with suspicious names (e.g., "AI Assistant," "Meeting Summarizer").
- Applications requesting broad permissions: `offline_access`, `Mail.Read`, `Files.Read.All`.
## Response Actions
- **Containment:** Revoke all active Refresh Tokens for compromised users via PowerShell or Entra ID portal.
- **Eradication:** Delete the malicious Enterprise Application from the tenant’s "Enterprise Applications" list.
- **Recovery:** Force a re-authentication and audit all application consents.
## Lessons Learned
- **MFA is not a Silver Bullet:** Attacks occurring "below" the identity layer (at the consent layer) bypass standard MFA prompts.
- **Consent Fatigue:** Users are conditioned to click "Accept" on permission screens, similar to 2010-era cookie banners.
- **Token Persistence:** Password resets are insufficient to stop an active OAuth-based breach; session and token management are critical.
## Recommendations
- **Restrict User Consent:** Configure Microsoft 365 to require Administrator approval for all new application registrations.
- **Implement Conditional Access:** Use policies that require "Managed Devices" or specific IP ranges for token issuance.
- **Monitor App Permissions:** Regularly audit "Toxic Combinations" where third-party apps bridge multiple data silos through a single user identity.