The New Phishing Click: How OAuth Consent Bypasses MFA

What’s new: A phishing-as-a-service platform named EvilTokens has compromised over 340 Microsoft 365 organizations by exploiting OAuth consent screens. Users were tricked into entering a code at microsoft.com/devicelogin, unknowingly granting attackers valid refresh tokens that bypassed multi-factor authentication (MFA). This method, termed consent phishing or OAuth grant abuse, allows attackers to gain access without needing passwords or triggering MFA prompts.

Who’s affected

Organizations using Microsoft 365, particularly those that have not implemented strict controls around OAuth consent and token management, are at risk. The attack has already impacted users across five countries.

What to do

• Review and inventory all third-party applications holding refresh tokens within your tenant.
• Implement policies that require re-consent for tokens issued over 30 days ago.
• Monitor identities that hold grants across multiple SaaS applications for potential cross-application risks.
• Establish conditional access policies that trigger on consent events.
• Develop a playbook for token-level revocation instead of user account suspension.

Sources

• The Hacker News