View the original report →
The cybersecurity threat landscape is constantly evolving, and phishing remains one of the most persistent and dangerous tactics. However, its sophistication has reached a new level. In February 2026, a phishing-as-a-service (PhaaS) platform called EvilTokens emerged, quickly demonstrating its ability to bypass robust defences, including multi-factor authentication (MFA), by exploiting OAuth consent. In just five weeks, this platform compromised over 340 Microsoft 365 organizations across five countries, highlighting a critical vulnerability that businesses cannot afford to ignore.
The Why: The Sophistication of OAuth Consent Phishing
The success of attacks like those perpetrated by EvilTokens lies in their ability to mimic legitimate processes and exploit user trust in familiar workflows. OAuth consent is a standard protocol that allows third-party applications to access protected resources on behalf of a user, without the user having to share their credentials directly. In this scenario, attackers create fake login pages that request OAuth consent for a malicious application. The victim is then instructed to enter a short code at microsoft.com/devicelogin and complete their normal MFA challenge, believing they are verifying a legitimate application. What actually happens is that the attacker obtains a valid access token, which allows them to access the victim’s account, even with MFA enabled. This technique is particularly insidious because the user feels they are following a security procedure, making detection extremely difficult for the untrained eye.
The Impact: Devastating Consequences for Businesses
The implications of a successful OAuth consent phishing attack are vast and potentially catastrophic for any organization. Unauthorized access to Microsoft 365 accounts can lead to the exfiltration of sensitive data, compromise internal and external communication, and serve as a starting point for ransomware attacks or other deeper intrusions into the corporate network. The 340+ organizations compromised by EvilTokens are a testament to the effectiveness and danger of this new wave of threats. Data loss, financial damage, and reputational erosion are just some of the consequences businesses face. Furthermore, the “as-a-service” nature of these PhaaS platforms means that sophisticated attack tools are now more accessible to a wider range of cybercriminals, increasing the frequency and scale of attacks.
The Solution: Proactive Strategies for Cyber Defence
Protecting your business against OAuth consent phishing and other advanced threats requires a multifaceted and proactive approach. Relying solely on MFA is not enough; it is crucial to implement additional layers of security and educate employees. mfmd.pt offers comprehensive cybersecurity services, designed to strengthen your digital defences. This includes implementing conditional access policies, continuous monitoring for suspicious activities, and utilizing advanced threat detection solutions. Additionally, strategic digital marketing consultancy can help your company develop a robust security culture through employee awareness training programmes that empower them to identify and report phishing attempts. It is essential for businesses to understand the importance of always verifying the legitimacy of consent requests and being aware of warning signs. To deepen your knowledge of these types of threats, we recommend reading authoritative articles such as those published on the Microsoft Security Blog.
Do not wait for your company to become the next statistic. Cybersecurity is an essential investment in the continuity and reputation of your business. Contact mfmd.pt today for an assessment of your security needs and to implement the necessary defences.
To request our services or obtain more information, please contact us via E-mail: [email protected] or WhatsApp: +351 969 238 492.
