EvilTokens — new phishing attack bypasses MFA entirely via device code flow

A new phishing platform called EvilTokens has compromised over 340 Microsoft 365 organizations across five countries since mid-February 2026. The attack exploits the OAuth 2.0 device code flow — the same mechanism used to sign in to apps on smart TVs or IoT devices.

What makes this attack dangerous is that the user authenticates on Microsofts own legitimate login page. MFA works exactly as expected — but the attacker still gets a valid session token.

How the attack works

The attacker sends a phishing email with a verification code and a link to microsoft.com/devicelogin. The user believes it is a legitimate request, enters the code, and completes MFA. In the background, EvilTokens captures both the access token and refresh token.

With these tokens, the attacker gains full access to the users email, Teams, OneDrive, and SharePoint. The refresh token provides long-lived access — even after the user changes their password.

Who is affected

Affected sectors include construction, legal services, healthcare, nonprofits, real estate, and manufacturing — typical SMB verticals.

What you should do

1. Block device code flow in Conditional Access.

2. Review Entra sign-in logs for device code flow authentication events.

3. Restrict OAuth app consent.

4. Train staff: never enter a verification code you did not request yourself.

How HaggeBurger can help

We offer an OAuth security review (2 hours) where we check device code policies, app consent settings, and review sign-in logs. Get in touch and we will check your environment.