top of page

Your MFA Won't Stop This: The OAuth Phishing Campaign Targeting Australian Microsoft 365 Users

  • 6 days ago
  • 4 min read
Cybersecurity padlock representing identity protection and phishing threats

A sophisticated phishing-as-a-service platform has compromised more than 340 Microsoft 365 organisations across five countries — including Australia — in under six weeks. What makes this campaign particularly alarming is not its scale, but its mechanism: multi-factor authentication (MFA), the control that many organisations treat as their identity security bedrock, offers no meaningful protection against it.


The campaign, attributed to a platform called EvilTokens, exploits a legitimate Microsoft authentication protocol to turn your own users into unwitting accomplices. Security teams that have not reviewed their Conditional Access policies and Entra ID configurations urgently should.


What Happened


EvilTokens, a phishing-as-a-service (PhaaS) platform that launched on 16 February 2026, has rapidly compromised organisations across the United States, Canada, Australia, New Zealand, and Germany. Researchers at Huntress documented the campaign after observing accelerating incidents across a broad range of industry sectors, including financial services, healthcare, legal services, local government, manufacturing, construction, and non-profits.


The attack weaponises the OAuth Device Code Flow (RFC 8628), a legitimate authentication mechanism originally designed for input-constrained devices such as smart televisions and printers. In a legitimate scenario, a user would visit microsoft.com/devicelogin and enter a short code to link their device. In EvilTokens' variant, attackers initiate the device authorisation request themselves and then deceive victims — via phishing emails or messages — into visiting the genuine Microsoft login page and entering that code, believing it to be a routine security verification.


Because the victim authenticates on Microsoft's own infrastructure, traditional phishing defences — suspicious domain detection, lookalike URL filters — are effectively blind to the attack. The platform leverages Cloudflare Workers for redirection and Railway.com as its backend infrastructure, with anti-analysis measures that block browser developer tools and source viewing to frustrate security researchers.


Why It Matters


The fundamental issue is that this attack does not bypass MFA — it causes victims to complete it on the attacker's behalf. Once the victim enters the device code and approves the authentication prompt, the attacker receives valid OAuth access and refresh tokens. Critically, those refresh tokens persist even after a subsequent password reset, meaning the conventional first response to a suspected compromise — changing the password — does not evict an attacker who has already obtained tokens.


For Australian organisations, particularly those in regulated sectors, the consequences extend well beyond account compromise. A threat actor with persistent Microsoft 365 access can enumerate mailboxes, exfiltrate files from OneDrive and SharePoint, harvest contact lists and calendar data, and register attacker-controlled devices for durable persistence. Under the Privacy Act 1988 and the Notifiable Data Breaches (NDB) scheme, many of these outcomes would trigger mandatory breach notification obligations — with the reputational and regulatory consequences that follow.


The fact that 340-plus organisations were compromised across multiple countries within weeks of the platform's launch speaks to the industrialisation of this attack technique. EvilTokens is a packaged product, not bespoke tradecraft — which means the barrier for less skilled threat actors to deploy it is low.


Multi-factor authentication is a critical control, not an impenetrable one — attackers are not bypassing MFA technically; they are engineering users to complete it on their behalf.

What Security Teams Should Do Now


  • Query Entra ID sign-in logs for authentication events where authenticationProtocol equals deviceCode. Flag any accounts that authenticated via device code flow that do not have a documented operational need for it, and treat them as potentially compromised.

  • Implement a Conditional Access policy to block the Device Code Flow for all users without a legitimate requirement — shared-screen kiosks, IoT devices, and similar appliances are typically the only valid use case in enterprise environments.

  • For any accounts suspected to be compromised, invoke revokeSignInSessions via Microsoft Graph or Entra ID — a password reset alone will not invalidate existing refresh tokens and will leave persistent attacker access in place.

  • Block the known EvilTokens infrastructure: five Railway.com IP addresses have been identified as primary campaign nodes, with three accounting for 84% of observed traffic. Apply these IOCs at the perimeter and proxy layer.

  • Audit registered devices in Entra ID for any unrecognised entries created during the compromise window. Attacker-registered devices provide persistent access that survives both password resets and token revocation.

  • Deliver targeted awareness training that specifically addresses the device code flow scenario: any unsolicited request to visit microsoft.com/devicelogin and enter a code should be treated as a phishing attempt, regardless of how routine it appears.


Aurian's Take


This campaign reflects a broader trend in the threat landscape: attackers are increasingly targeting the space between user behaviour and technical controls, rather than attempting to circumvent security technology directly. EvilTokens does not exploit a vulnerability in Microsoft's systems — it exploits the trust users place in legitimate-looking workflows. As organisations have hardened their defences against credential theft and traditional phishing, adversaries have adapted by weaponising the authentication mechanisms organisations have deployed as safeguards. The industrialisation of this technique into a PhaaS offering means it will proliferate rapidly, and the attack volume is likely to increase before it diminishes.


In our penetration testing and security assessment work, Aurian routinely uncovers Microsoft 365 and Entra ID configurations that would leave organisations directly exposed to exactly this type of campaign — unrestricted device code flows, absent or incomplete Conditional Access policies, and insufficient monitoring of OAuth application activity. A thorough security assessment of your Microsoft 365 environment is not simply a technical exercise; for organisations subject to the NDB scheme or sector-specific regulatory frameworks, it is an increasingly necessary component of demonstrating due diligence. Regular penetration testing ensures your identity controls are validated against current attacker techniques, not the threat model that existed when your policies were last reviewed.



Identity-based attacks are evolving faster than most organisations are updating their defences. The confidence many security teams place in MFA needs to be tempered with a clear-eyed assessment of how those controls can be circumvented — and whether detection and response capabilities would catch a compromise before serious damage is done.



Comments

Aurian

Contact us to discuss your cybersecurity requirements and learn how our tailored solutions can enhance your organisation's defense against evolving cyber threats.

Connect With Us

  • LinkedIn
  • Facebook
  • Twitter

© 2026 Aurian Security Pty Ltd.

All rights reserved.

bottom of page