The New Phishing Click: How OAuth Consent Bypasses MFA

2026-05-19

1 min read

by info@thehackernews.com (The Hacker News)

Read Original

Get the latest tech trends every morning

Receive daily AI-curated summaries of engineering articles from top tech companies worldwide.

Endigest AI Core Summary

OAuth consent screens have become a primary phishing vector that bypasses MFA, as demonstrated by EvilTokens, which compromised 340+ Microsoft 365 organizations by harvesting refresh tokens.

•EvilTokens distributed fake device-login prompts directing users to complete MFA on legitimate identity providers, then captured long-lived refresh tokens with access to mail, drive, calendar and contacts
•Refresh tokens persist after password resets and remain valid for weeks or months without explicit revocation, unlike traditional credential phishing requiring password replay
•Users habitually click through consent screens, making malicious OAuth requests indistinguishable from legitimate app integrations and AI agent permissions at scale
•Toxic combinations form when OAuth grants across multiple unrelated SaaS applications create interconnected risks no single application owner authorized or can audit

The New Phishing Click: How OAuth Consent Bypasses MFA

Get the latest tech trends every morning

Endigest AI Core Summary

Related Articles

ChatGPhish Vulnerability Turns ChatGPT Web Summaries Into a Phishing Surface

Cloud CISO Perspectives: How to build an AI-ready security program for the public sector

Attackers Use LLM Agent for Post-Exploitation After Marimo CVE-2026-39987 Exploit

New Russian-Linked GREYVIBE Targets Ukraine with AI-Powered Cyberattacks