A phishing service launched in February 2026 broke into 340 Microsoft 365 organizations in five weeks — not by stealing passwords, but by stealing authentication tokens after victims completed their own MFA challenges normally.
EvilTokens Platform Compromises 340 M365 Organizations in Five Weeks Using Device-Code OAuth
EvilTokens, a phishing-as-a-service (PhaaS) platform, compromised more than 340 Microsoft 365 organizations across five countries between its February 2026 launch and the end of a five-week campaign window. The platform distinguished itself from traditional credential-phishing tools by targeting authentication tokens rather than passwords — a method that renders multi-factor authentication entirely irrelevant to the attack outcome.
No threat actor has been publicly named as operating EvilTokens. The platform’s spread across five countries is consistent with a criminal service sold to multiple buyers rather than a single actor’s targeted campaign.
How Device-Code OAuth Phishing Makes MFA Irrelevant
The attack works by directing victims to microsoft.com/devicelogin — a legitimate Microsoft URL — where they enter a short code and complete their normal MFA challenge. From the victim’s perspective, the authentication looks identical to any routine device-activation flow: they receive an MFA prompt, they approve it, and the process appears complete. No credentials are shared with the attacker, and no fraudulent site is involved.
What the victim does not know is that the short code they entered was generated by the attacker, not by a legitimate device. When the victim completes their MFA approval on Microsoft’s real identity provider, the resulting OAuth refresh token is delivered to the attacker rather than to an authorized device. That token provides access to the victim’s mailbox, OneDrive, calendar, and contacts.
Because the authentication occurs on Microsoft’s own infrastructure and the MFA challenge is satisfied legitimately, most identity-based detection systems see no anomaly. The attack produces a valid, fully authenticated session token through a process that looks correct from every monitoring angle except intent.
Token Persistence Extended Attacker Access Beyond Initial Compromise
The OAuth refresh tokens harvested by EvilTokens survived subsequent password resets. Victims who changed their Microsoft 365 passwords after discovering suspicious activity found that attackers retained active mailbox access — the token remained valid and continued granting access weeks or months after the initial theft. Organizations did not typically realize they were compromised until forensic investigation surfaced anomalous access patterns that password hygiene alone could not explain.
This persistence gap — the window between when a password is reset and when the underlying token is separately revoked — is a structural characteristic of OAuth-based authentication that credential-phishing attacks do not share. Stolen passwords become worthless the moment they are changed; stolen OAuth tokens require explicit revocation, a step many affected organizations did not know to take.
Origins in Nation-State Tradecraft, Now Commoditized
OAuth device-code phishing was pioneered by Russian APT groups as a targeted technique against high-value government and enterprise accounts. EvilTokens marks the commoditization of this approach as a commercial service accessible to criminal actors without the technical sophistication to develop the method themselves.
Microsoft has recommended that organizations disable device-code authentication flows for users who have no operational need for them, and that security teams monitor for OAuth token activity originating from unexpected locations or devices. Conditional access policies that restrict device-code authentication by user role represent a direct mitigation against the EvilTokens attack chain.
The M365 Exposure Surface Across Five Countries
The five-country distribution of compromised organizations points to the commercial, multi-buyer nature of the EvilTokens platform. A single threat actor would typically concentrate campaigns geographically; the broad spread across countries indicates multiple operators purchasing access to the service and running independent campaigns against separate target bases.
With 340 organizations confirmed compromised in five weeks, EvilTokens represents a meaningful acceleration in the deployment tempo of MFA-bypass phishing infrastructure. The affected organizations faced persistent unauthorized mailbox access for weeks or months after initial compromise, with complete post-incident remediation requiring not only password resets but active OAuth token audits and revocation across all affected accounts.
