The bottom line: EvilTokens exploits OAuth 2.0 device flows to compromise 2FA-protected Microsoft 365 accounts by tricking users into authorizing devices.
The phishing-as-a-service kit EvilTokens abuses the OAuth 2.0 device authorization workflow to compromise Microsoft 365 accounts. The attack method bypasses enabled two-factor authentication.
EvilTokens is a commercialized phishing kit specifically designed to compromise Microsoft 365 accounts. The system exploits the OAuth 2.0 device authorization grant flow, a procedure intended for authenticating devices without direct browser access.
What is distinctive about this attack vector: it circumvents established security mechanisms. Even if a user has enabled two-factor authentication, EvilTokens can initiate the required device authorization through successful social engineering and generate valid access tokens. Two-factor authentication becomes ineffective because authentication does not occur through the classic phishing schema with password prompts, but rather through confirmation of a supposedly legitimate device registration.
For CISOs, this represents a new threat class: users are prompted to confirm device authorization in their authentication apps or account management portals – a step that appears far less suspicious to many than an unusual login from a different location. This exposes a vulnerability at the intersection of user behavior and technical security.
Source: borncity.com · Published June 17, 2026
Lumi AI News — AI-assisted curation pursuant to Article 50 EU AI Act. Paraphrase and classification by Lumi News Pipeline v1.7.1.