EvilTokens Microsoft 365 consent phishing campaign
Campaign
Summary
Hide ▲
Show ▼
The EvilTokens campaign rapidly compromised more than 340 Microsoft 365 organizations across five countries, showing how OAuth grant abuse can bypass MFA and create durable access. The operation began in February 2026 and used a phishing-as-a-service model to scale consent phishing. Targets were pushed to approve a prompt at microsoft.com/devicelogin, which handed the operator a refresh token instead of a password. That token could survive password resets and extend access far beyond the initial sign-in.
Related Happenings
Kali365 Microsoft 365 device-code phishing campaign
Campaign
First: 25.05.2026 15:45
Last: 25.05.2026 15:45
Sources 1
About this happening:
A **Kali365** phishing campaign is targeting **Microsoft 365** environments worldwide with **device-code login lures**, putting accounts at risk of **token theft** and **MFA bypas...
Kali365 Microsoft 365 device-code phishing campaign
CampaignAbout this happening: A **Kali365** phishing campaign is targeting **Microsoft 365** environments worldwide with **device-code login lures**, putting accounts at risk of **token theft** and **MFA bypas...
W3LL Microsoft 365 adversary-in-the-middle phishing campaign
Campaign
First: 13.04.2026 21:55
Last: 13.04.2026 21:55
Sources 1
About this happening:
The **W3LL** phishing operation turned into a high-volume **Microsoft 365** credential-theft campaign, exposing **more than 17,000 victims worldwide** to **BEC** risk. The kit use...
W3LL Microsoft 365 adversary-in-the-middle phishing campaign
CampaignAbout this happening: The **W3LL** phishing operation turned into a high-volume **Microsoft 365** credential-theft campaign, exposing **more than 17,000 victims worldwide** to **BEC** risk. The kit use...
Microsoft AiTM payroll pirate attack mitigation
Advisory/Mitigation
First: 10.04.2026 14:56
Last: 10.04.2026 14:56
Sources 1
About this happening:
**Microsoft** is urging defenders to harden **Microsoft 365** and related **HR workflows** against **AiTM**-driven payroll theft by requiring **phishing-resistant MFA**, blocking...
Microsoft AiTM payroll pirate attack mitigation
Advisory/MitigationAbout this happening: **Microsoft** is urging defenders to harden **Microsoft 365** and related **HR workflows** against **AiTM**-driven payroll theft by requiring **phishing-resistant MFA**, blocking...
Storm-2755 payroll pirate campaign targeting Canadian employees
Campaign
First: 10.04.2026 14:56
Last: 10.04.2026 14:56
Sources 1
About this happening:
The **Storm-2755** campaign is stealing **Canadian employees' salary payments** by hijacking accounts through **Microsoft 365** phishing pages, creating immediate payroll-diversio...
Storm-2755 payroll pirate campaign targeting Canadian employees
CampaignAbout this happening: The **Storm-2755** campaign is stealing **Canadian employees' salary payments** by hijacking accounts through **Microsoft 365** phishing pages, creating immediate payroll-diversio...
Phishing-resistant authentication to block post-breach credential abuse and relay attacks
Defensive Guidance
First: 09.04.2026 17:02
Last: 09.04.2026 17:02
Sources 1
About this happening:
**Phishing-resistant authentication** is being emphasized as the control that can stop post-breach account takeover when exposed email records fuel **credential stuffing**, **AiTM...
Phishing-resistant authentication to block post-breach credential abuse and relay attacks
Defensive GuidanceAbout this happening: **Phishing-resistant authentication** is being emphasized as the control that can stop post-breach account takeover when exposed email records fuel **credential stuffing**, **AiTM...
Timeline
-
19.05.2026 14:30 2 articles · 8d ago
EvilTokens Microsoft 365 consent phishing campaign
Initial DisclosureThe campaign began in **February 2026** when **EvilTokens** launched as a **PhaaS** operation. Early activity centered on consent phishing at **microsoft.com/devicelogan**, using a fake device-code flow to capture OAuth refresh tokens.
Show sources
- The New Phishing Click: How OAuth Consent Bypasses MFA — thehackernews.com — 19.05.2026 14:30
- The New Phishing Click: How OAuth Consent Bypasses MFA — thehackernews.com — 19.05.2026 14:30