ACCORDING to The Hacker News, a phishing-as-a-service platform called EvilTokens went live in February 2026 and, within five weeks, had compromised more than 340 Microsoft 365 organisations across five countries. The targets were asked to enter a short code at microsoft[.]com/devicelogin to complete their normal MFA, but instead handed the operator a valid refresh token scoped to their mailbox, drive, calendar and contacts.
The operator never needed a password, never triggered an MFA prompt, and never produced a sign-in event that looked like an intrusion; the attack succeeded because the OAuth consent screen is treated as a routine click and the controls designed to stop credential phishing do not inspect the consent layer. Security researchers describe this as consent phishing or OAuth grant abuse, noting that MFA cannot block a granted refresh token because MFA has already happened.
The article explains that refresh tokens can survive password resets and remain valid for weeks or months depending on tenant configuration, until revocation or re-consent occurs.