CyberHappenings logo
Home Browse Watchlists Experimental About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

Widespread OAuth Device Code Phishing Campaign Targets Microsoft 365 via EvilTokens PhaaS

First reported
Last updated
2 unique sources, 5 articles

Summary

Hide ▲

Since mid-February 2026, a large-scale device code phishing campaign has targeted Microsoft 365 across at least 340 organizations in over 10 countries, escalating 37.5x in early April. The campaign abuses OAuth device authorization flows via the EvilTokens PhaaS platform and at least 10 additional phishing kits (VENOM, DOCUPOLL, SHAREFILE, etc.), granting persistent access tokens even after password resets. Attacks incorporate anti-bot evasion, multi-hop redirect chains via vendor services, and SaaS-themed lures, while mitigation focuses on disabling device code flows and monitoring anomalous authentications. Credential exposures like the Figure breach (967,200 email records) enable follow-on campaigns—credential stuffing, AI-generated phishing, and help desk social engineering—that bypass legacy MFA through real-time phishing relays and social engineering. Legacy MFA and even FIDO2 passkeys are structurally unable to prevent these attacks, which rely on human judgment at critical control points. Phishing-resistant authentication requires cryptographic origin binding, hardware-bound keys, and live biometric verification to close relay and delegation vectors. New research emphasizes how EvilTokens and similar kits exploit OAuth consent screens to trick users into granting scoped refresh tokens, bypassing MFA entirely and maintaining persistence even after password resets. The attack vector, termed consent phishing or OAuth grant abuse, operates below traditional identity controls, with refresh tokens surviving tenant policy changes unless explicitly revoked. The article also highlights the rise of 'toxic combinations'—unauthorized bridges between SaaS applications via OAuth grants—that create interconnected risk surfaces, exemplified by the 2025 Salesloft-Drift incident. Mitigation strategies now include platforms like Reco that map OAuth grants and AI agents into identity graphs, enabling continuous monitoring and token-level revocation to address these emergent attack pathways.

Timeline

  1. 25.03.2026 13:34 5 articles · 1mo ago

    Device Code Phishing Campaign Leveraging EvilTokens PhaaS Hits 340+ Microsoft 365 Organizations

    The campaign’s scope and persistence are further clarified, revealing how EvilTokens and similar kits abuse OAuth consent screens to obtain refresh tokens rather than passwords, bypassing MFA entirely. Refresh tokens issued by EvilTokens survived password resets and remained valid for weeks or months depending on tenant configuration, requiring explicit revocation or conditional access policy changes to invalidate. The article introduces the concept of 'consent phishing' (OAuth grant abuse), where users are tricked into granting scoped refresh tokens through normalized consent clicks, and highlights the structural gap between consent screen language and operational reach (e.g., 'Read your mail' covering all messages and attachments). It also details the rise of 'toxic combinations'—unauthorized bridges between SaaS applications via OAuth grants that create interconnected risk surfaces not visible to any single application’s audit logs, exemplified by the 2025 Salesloft-Drift incident where a compromised downstream connector spread through 700+ Salesforce tenants. Mitigation strategies are expanded to include platforms like Reco, which map OAuth grants and AI agents into identity graphs to detect bridges, unused tokens, and policy deviations, enabling token-level revocation instead of user account suspension.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

BlackFile extortion group escalates vishing campaigns with identity theft and data theft targeting retail and hospitality sectors

Since February 2026, the BlackFile extortion group (aliases: CL-CRI-1116, UNC6671, Cordial Spider) has conducted sustained vishing-driven credential theft and data exfiltration campaigns against retail and hospitality organizations. The group impersonates IT helpdesk staff using spoofed VoIP numbers and fraudulent Caller ID Names, often combined with antidetect browsers and residential proxies to avoid detection. Stolen credentials are used to register attacker-controlled devices and bypass MFA, enabling escalation to executive accounts via internal directory scraping. Data is exfiltrated through legitimate Salesforce and SharePoint API functions and web interfaces, targeting files containing terms such as 'confidential' and 'SSN'. Extortion demands, typically seven-figure sums, are delivered via compromised employee email accounts or randomly generated Gmail addresses, with additional harassment including swatting attempts against executives. Security researchers from Unit 42 and RH-ISAC have linked BlackFile to the activity cluster CL-CRI-1116 and noted overlaps with the loosely affiliated collective 'The Com'.

Open in new tab

Cross-application permission chaining risk exposed via AI agents and MCP connectors

On January 31, 2026, researchers disclosed an exposed database in Moltbook, a social network for AI agents, which leaked 35,000 email addresses and 1.5 million agent API tokens across 770,000 active agents. The database also contained plaintext third-party credentials, including OpenAI API keys, shared between agents in private messages, enabling attackers to hijack AI agents and their associated service integrations through unintended cross-application trust chains. The incident highlights the risk of "toxic combinations" of permissions, where AI agents, MCP servers, or OAuth integrations bridge multiple applications without explicit oversight from any single application owner, creating unauthorized lateral trust pathways that bypass conventional SaaS access reviews. These bridges form at runtime and are invisible to single-app governance, allowing credential exfiltration and command-and-control abuse when combined with weak token hygiene and runtime drift.

Open in new tab

Compromise of Third-Party AI Tool via Infostealer Leads to Vercel Breach and OAuth Token Theft Chain

Vercel remains under assessment following a sophisticated attack chain that began with the compromise of third-party AI tool vendor Context.ai via an infostealer. The breach was enabled by an OAuth token tied to a Vercel employee’s Google Workspace account, granting access to non-sensitive environment variables and internal systems. Context.ai acknowledged the theft of OAuth tokens, including those used in consumer-facing integrations. Vercel, collaborating with Mandiant, has notified affected customers and issued advisories emphasizing MFA enforcement, credential rotation, and review of non-sensitive environment variables. A threat actor allegedly linked to ShinyHunters attempted to extort Vercel for $2 million. The incident highlights systemic risks from shadow AI integrations and OAuth sprawl. Context.ai’s breach originated from an infostealer infection on an employee’s system after searching for gaming cheats, leading to the theft of OAuth tokens. The compromised Vercel employee account had broad permissions, including access to internal dashboards, API keys, and GitHub tokens. Broader industry trends show attackers increasingly exploiting OAuth connections at scale, with campaigns like Scattered Lapsus$ Hunters targeting major enterprises via OAuth-driven supply chain attacks and phishing. Security experts recommend default-deny policies for OAuth integrations and routine audits to mitigate these risks.

Open in new tab

APT28 DNS hijacking campaigns via compromised SOHO routers observed in 2025–2026 targeting credential theft

APT28 (GRU GTsSS Military Unit 26165) has conducted opportunistic DNS hijacking campaigns since at least August 2025 by compromising small office/home office (SOHO) routers—primarily TP-Link models such as WR841N—to redirect victim traffic through attacker-controlled DNS servers and steal credentials. The campaign peaked in December 2025, compromising over 18,000 networks, including 200 organizations and 5,000 consumer devices, and specifically targeted government agencies such as ministries of foreign affairs, law enforcement, and third-party email providers. TP-Link routers were likely exploited via CVE-2023-50224 to retrieve credentials, which were used in adversary-in-the-middle attacks against browser sessions and desktop applications to harvest credentials for web and email services. APT28 operates a persistent infrastructure of VPSs repurposed as malicious DNS servers, receiving DNS requests from exploited routers and enabling opportunistic triage to identify high-value targets. Microsoft reported this is the first time APT28 has used DNS hijacking at scale to support post-compromise adversary-in-the-middle (AiTM) attacks on TLS connections against Microsoft Outlook on the web domains, intercepting OAuth authentication tokens after successful MFA authentication without requiring additional malware on compromised routers. On April 7, 2026, US authorities dismantled APT28’s US-based DNS hijacking network as part of ‘Operation Masquerade,’ neutralizing compromised routers across 23 states. The operation, led by the FBI and authorized by a court, reset DNS settings on affected TP-Link routers to restore legitimate DNS resolvers from ISPs without impacting functionality or collecting user content. The FBI is working with ISPs to notify affected users and urges router owners to replace outdated devices, update firmware, and verify DNS settings to prevent further exploitation.

Open in new tab

Global C-Suite credential theft campaign leverages undocumented Venom PhaaS with AiTM bypass

A credential theft campaign from November 2025 to March 2026 targeted C-suite executives and senior personnel at major organizations worldwide using a previously undocumented phishing-as-a-service (PhaaS) platform named Venom. The campaign used SharePoint-themed lures with embedded QR codes to deliver a multi-stage phishing workflow designed to harvest credentials and bypass multifactor authentication (MFA). Email content included randomized HTML, fabricated email threads, and personalized sender impersonation to evade detection. Victims who passed automated checks were routed to credential harvesters that mimicked legitimate login portals via adversary-in-the-middle (AiTM) techniques, including pre-filled email fields, corporate branding, and identity provider integration. Compromised sessions maintained persistence even after password resets due to valid refresh tokens, unless administrators manually revoked active sessions.

Open in new tab