OAuth consent: a new phishing vector bypassing MFA

Colleagues, I want to draw attention to a cybersecurity trend: phishing via OAuth consent is escalating into mass attacks.
In February 2026 PhaaS 'EvilTokens' compromised more than 340 Microsoft 365 organizations in five weeks. Users entered the code at microsoft.com/devicelogin and granted consent; attackers obtained refresh tokens for mail and OneDrive. No password was needed—MFA did not prevent the breach.
Key risks:
• OAuth grants leave no sign-in trace and can be refreshable.
• Toxic grant combinations link apps through a single identity.
• MCP/agents broaden the attack surface.
Why it matters: monitor and revoke tokens at the grant level, not just block accounts.
What measures have you implemented to control OAuth grants?
#cybersecurity #IdentitySecurity #OAuth #MFA


Latest comments
No comments yet.