Find notable cyber news and cases, enriched with sources, timelines, and signals.

EvilTokens Microsoft 365 consent phishing campaign

Campaign
First reported
Last updated
Happening score
H score 39
1 unique sources, 1 articles

Summary

Hide ▲

The EvilTokens campaign rapidly compromised more than 340 Microsoft 365 organizations across five countries, showing how OAuth grant abuse can bypass MFA and create durable access. The operation began in February 2026 and used a phishing-as-a-service model to scale consent phishing. Targets were pushed to approve a prompt at microsoft.com/devicelogin, which handed the operator a refresh token instead of a password. That token could survive password resets and extend access far beyond the initial sign-in.

Related Happenings

O-UNC-066 / Pink Microsoft Entra passkey vishing campaign

Campaign
H score37 First: 08.07.2026 19:47 Last: 08.07.2026 19:47 Sources 1

About this happening: The **O-UNC-066 / Pink** operation is using **voice-based phishing** to push **Microsoft 365** users into enrolling attacker-controlled **Entra passkeys**, creating a direct path...

Microsoft Azure CLI password-spray campaign using ROPC

Campaign
H score24 First: 01.07.2026 08:46 Last: 01.07.2026 08:46 Sources 1

About this happening: A **massive automated password-spray campaign** against **Microsoft Azure CLI** compromised **at least 78 accounts** across **64 organizations**, expanding access risk across clou...

FortiBleed Fortinet credential-theft campaign

Campaign
H score89 First: 19.06.2026 13:48 Last: 19.06.2026 13:48 Sources 1

About this happening: The **FortiBleed** Happening is a global **Fortinet credential-theft** campaign affecting **FortiGate firewall** and **SSL VPN** customers. The **UK’s NCSC** issued guidance after...

Latest development: 22.06.2026 11:30

The UK’s National Cyber Security Centre issued guidance for Fortinet customers impacted by FortiBleed after the campaign exposed around 75,000 credentials from FortiGate firewall and SSL VPN customers. The NCSC urged affected organizations to use Hudson Rock’s or SOCRadar’s FortiBleed checker tools and then review indicators of compromise such as unauthorized account creation and unexpected activity in log files.

Microsoft 365 Android apps token-sharing flaw (multiple vulnerabilities)

Vulnerability
H score21 First: 03.06.2026 17:56 Last: 03.06.2026 17:56 Sources 1

About this happening: **Microsoft 365 Android apps** were exposed by a leftover **setIsDebugMode(true)** flag that let same-device apps steal account tokens and act as the signed-in user. The flaw coul...

Kali365 Microsoft 365 device-code phishing campaign

Campaign
H score46 First: 25.05.2026 15:45 Last: 25.05.2026 15:45 Sources 1

About this happening: A **Kali365** phishing campaign is targeting **Microsoft 365** environments worldwide with **device-code login lures**, putting accounts at risk of **token theft** and **MFA bypas...

Timeline

  1. 19.05.2026 14:30 2 articles · 1mo ago

    EvilTokens Microsoft 365 consent phishing campaign

    Initial Disclosure

    The campaign began in **February 2026** when **EvilTokens** launched as a **PhaaS** operation. Early activity centered on consent phishing at **microsoft.com/devicelogan**, using a fake device-code flow to capture OAuth refresh tokens.

    Show sources