EvilTokens, a phishing-as-a-service platform, quickly compromised more than 340 Microsoft 365 organizations by tricking users into approving OAuth consent and handing over refresh tokens instead of passwords. The attack highlights how consent phishing, toxic combinations, and long-lived grants can bypass MFA and persist across SaaS apps, making runtime visibility and token-level revocation essential. #EvilTokens #Microsoft365 #OAuth #MCP #Reco #SalesloftDrift
Keypoints
- EvilTokens compromised over 340 Microsoft 365 organizations in five countries within five weeks.
- The attack abused OAuth consent to steal refresh tokens without triggering MFA alerts.
- Refresh tokens survived password resets and could remain valid for weeks or months.
- Toxic combinations emerge when multiple approved app grants intersect through one identity.
- Security teams should inventory grants, monitor consent events, and revoke tokens at the token level.
Read More: https://thehackernews.com/2026/05/the-new-phishing-click-how-oauth.html