{"id":249441,"date":"2026-05-19T07:30:00","date_gmt":"2026-05-19T11:30:00","guid":{"rendered":"https:\/\/news-you-need.com\/index.php\/2026\/05\/19\/the-new-phishing-click-how-oauth-consent-bypasses-mfa\/"},"modified":"2026-05-19T10:15:19","modified_gmt":"2026-05-19T14:15:19","slug":"the-new-phishing-click-how-oauth-consent-bypasses-mfa","status":"publish","type":"post","link":"https:\/\/news-you-need.com\/index.php\/2026\/05\/19\/the-new-phishing-click-how-oauth-consent-bypasses-mfa\/","title":{"rendered":"The New Phishing Click: How OAuth Consent Bypasses MFA"},"content":{"rendered":"<p><a href=\"https:\/\/thehackernews.com\/2026\/05\/the-new-phishing-click-how-oauth.html\">The New Phishing Click: How OAuth Consent Bypasses MFA<\/a><\/p>\n<p><a href=\"https:\/\/thehackernews.com\/2026\/05\/the-new-phishing-click-how-oauth.html\">https:\/\/thehackernews.com\/2026\/05\/the-new-phishing-click-how-oauth.html<\/a><\/p>\n<p>Publish Date: <a href=\"publish_date]\">2026-05-19 07:30:00<\/a><\/p>\n<p>Source Domain: <a href=\"thehackernews.com\">thehackernews.com<\/a><\/p>\n<p>In February 2026, a phishing-as-a-service (PhaaS) platform called EvilTokens went live. Within five weeks, it had compromised more than 340 Microsoft 365 organizations across five countries.\u00a0<\/p>\n<p>The targets of the platform received a message asking them to enter a short code at microsoft.com\/devicelogin and complete their normal MFA challenge, then walked away believing they had verified a routine sign-in. They had actually handed the operator a valid refresh token scoped to their mailbox, drive, calendar, and contacts, with the lifespan of a tenant policy rather than a session.<\/p>\n<p>The operator never needed a password, never tripped an MFA prompt, and never produced a sign-in event that looked like an intrusion. The attack succeeded because the OAuth consent screen has become an instinctive click, and the controls built to stop credential phishing do not look at the consent layer.<\/p>\n<p>Security researchers call the resulting condition consent phishing or OAuth grant abuse. The phishing click that mattered last decade handed over a password. The phishing click that matters now hands over a refresh token, and it sits structurally below the identity controls most organizations still treat as the perimeter.<\/p>\n<h2>Why MFA Cannot See an OAuth Grant<\/h2>\n<p>A credential phish hands over a username and password that has to be replayed somewhere, and most identity stacks now demand a second factor at the replay. Even adversary-in-the-middle (AiTM) kits produce a session cookie tied to a sign-in event that the SIEM correlates against geography, device, and travel patterns.<\/p>\n<table cellpadding=\"0\" cellspacing=\"0\" class=\"tr-caption-container\" style=\"float: left;\">\n<tr>\n<td style=\"text-align: center;\"><img decoding=\"async\" alt=\"\" border=\"0\" data-original-height=\"542\" data-original-width=\"2048\" src=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEh5JIwDvfaKyGcj0TqarIPHXTums0vw-XcwuChUdiQcUW97w0O89OsC_vqeE-8_rUvzVaTw6zv2e1PKsCnHvn7AgmrvnxCh40mfyS_1rI7OcMRfJNQEAGdlVK41X9XxErLxOvsChlctDX2yxSE4ZfSCmQE-mAZk_a9p1vdiCgMgWNqMaDHNP9jCtaR2ToE\/s1600\/1.png\"\/><\/td>\n<\/tr>\n<tr>\n<td class=\"tr-caption\" style=\"text-align: center;\">Figure 1: Credential phishing leaves a sign-in trail the SIEM can correlate.<\/td>\n<\/tr>\n<\/table>\n<p>An OAuth grant produces no replayed credentials. The user authenticates on the legitimate identity provider, finishes the MFA challenge on the legitimate domain, and clicks Accept. The token the attacker walks away with is the system working as designed. It is signed by the identity provider, scoped to whatever the user agreed to, and&#8230;<\/p>\n<p><a href=\"https:\/\/thehackernews.com\/2026\/05\/the-new-phishing-click-how-oauth.html\">Source<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>The New Phishing Click: How OAuth Consent Bypasses MFA https:\/\/thehackernews.com\/2026\/05\/the-new-phishing-click-how-oauth.html Publish Date: 2026-05-19 07:30:00 Source&#8230;<\/p>\n","protected":false},"author":1,"featured_media":249442,"comment_status":"closed","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEiLnnvBvl0Gs5pfpUcrlJ_Ni62CyGs5UpoGCmpUAjReyBpExj5FzhuxSwuUcfQiyxDqeeoy6jSAHq4tA2KUnO5CRfbpfd_jN1ndeXgC0MiG0TrAfAyW67eybZeHMY-t6_kICQdPPKqK-1n9Ngkrj7UJrZZa1KQWqN9WjaTaDuHA_t6RW9Stul6tb82OS_4\/s1600\/reco1.jpg","fifu_image_alt":"","footnotes":""},"categories":[15],"tags":[25],"class_list":["post-249441","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cybersecurity","tag-phishing"],"_links":{"self":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/249441"}],"collection":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/comments?post=249441"}],"version-history":[{"count":1,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/249441\/revisions"}],"predecessor-version":[{"id":249444,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/249441\/revisions\/249444"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/media\/249442"}],"wp:attachment":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/media?parent=249441"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/categories?post=249441"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/tags?post=249441"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}