The New Phishing Click: How OAuth Consent Bypasses MFA

SITREP: In February 2026, a phishing-as-a-service platform named EvilTokens was launched, leading to the compromise of over 340 Microsoft 365 organizations across five countries within five weeks. The phishing scheme involved tricking users into entering a code at a legitimate Microsoft URL, bypassing multi-factor authentication (MFA). TACTICAL ASSESSMENT: The emergence of EvilTokens highlights a significant vulnerability in MFA systems, particularly those relying on user input for verification. This incident may lead to increased scrutiny and potential reforms in cybersecurity protocols across organizations globally. PROJECTED VECTORS: Future phishing attacks may become more sophisticated, leveraging similar tactics to exploit MFA systems and target additional organizations.