In February 2026, a new phishing-as-a-service platform named EvilTokens emerged, posing a significant threat to Microsoft 365 users. Within a short span, this platform compromised over 340 organizations across five countries. This alarming development highlights the vulnerabilities in current security protocols.
The Mechanics Behind OAuth Consent Phishing
Victims of EvilTokens received messages prompting them to enter a code at microsoft.com/devicelogin, completing a standard multi-factor authentication (MFA) process. Unbeknownst to them, this action provided attackers with a refresh token linked to their mailbox, drive, calendar, and contacts. This token’s lifespan extended beyond a typical session, dictated by tenant policies.
The attackers bypassed traditional security measures without needing passwords or triggering MFA alerts. This success stems from the routine acceptance of OAuth consent screens, which existing security protocols fail to scrutinize thoroughly. Researchers have termed this issue ‘consent phishing’ or ‘OAuth grant abuse,’ posing a significant risk beneath the layer of identity controls.
Challenges in Detecting OAuth Grant Abuse
Unlike traditional credential phishing, where usernames and passwords are replayed, OAuth grants do not leave such trails. Users authenticate through legitimate providers, complete MFA, and unknowingly hand over refresh tokens. These tokens are legitimate, signed by identity providers, and are refreshable, evading MFA’s protective measures.
The persistence of these tokens, even after password resets, further complicates security. Tokens issued by EvilTokens remain valid for extended periods unless explicitly revoked or re-consent is demanded through conditional access policies.
Normalization of Consent and Resulting Risks
The threat landscape has evolved with OAuth’s widespread adoption. Users frequently encounter consent screens, similar to cookie banners, often clicking through without due consideration. This behavior is exploited by attackers, who take advantage of the gap between consent language and actual operational reach.
Attacks can escalate through toxic combinations of OAuth consents across multiple applications. For instance, a user might grant access to different applications individually, creating a network of permissions that span multiple services, inadvertently allowing data breaches.
Mitigating Risks and Enhancing Security
To address these vulnerabilities, organizations must treat OAuth consent with the same rigor as authentication processes. Key strategies include maintaining an inventory of OAuth applications, monitoring token age and re-consent, identifying cross-application identities, and implementing conditional access policies that trigger on consent events.
Platforms like Reco are stepping up to automate these tasks by mapping OAuth grants and AI agents into a comprehensive identity graph, ensuring continuous monitoring and proactive threat detection. This approach allows for timely revocation of access, offering a robust defense against emerging threats.
As consent phishing grows, it is imperative to bridge the gap in security by applying the same level of scrutiny to OAuth grants and AI connections as is currently applied to authentication protocols.
