In February 2026, a phishing-as-a-service (PhaaS) platform called EvilTokens went live. Within five weeks, it had compromised more than 340 Microsoft 365 organizations in five countries.
Platform targets received a message asking them to enter a shortcode at microsoft.com/devicelogin and complete their standard MFA challenge, then walked away believing they had authenticated a standard login. They actually give the user a valid refresh token that is included in their mailbox, drive, calendar, and contacts, and the lifetime of the employer’s policy rather than the session.
The user never needs a password, never drops an MFA prompt, and never generates a login event that looks like a login. The attack was successful because the OAuth authorization screen is now a natural click, and the controls designed to stop phishing do not look at the authorization layer.
Security researchers call the resulting situation phishing or OAuth grant abuse. The click-through of phishing that was important a decade ago gave away the password. Key phishing clicks now provide a refresh token, and they sit structurally under the proprietary controls that many organizations still treat as a perimeter.
Why MFA Can’t See OAuth Grant
Phishing provides a username and password that must be replayed somewhere, and many identity stacks now require a second element for replay. Even adversary-in-the-middle (AiTM) kits generate a session cookie tied to a login event that the SIEM correlates against location, device, and traffic patterns.
 |
| Figure 1: Phishing leaves a trail of logins that SIEM can’t correlate. |
The OAuth grant does not generate replay information. The user authenticates to the official identity provider, completes an MFA challenge on the official domain, and clicks Accept. The token the attacker takes with him is the system working as designed. It is signed by the identity provider, included in whatever the user agreed to, and renewable. MFA can’t stop it because MFA has already happened.
 |
| Figure 2: An OAuth grant leaves no replay, just a renewable token. |
Another problem is that refresh tokens then expand the window. EvilTokens tokens issued for password resets survive and remain valid for weeks or months, depending on the employer’s configuration. Rotating the password did not invalidate the grant. Only an explicit opt-out, or a conditional access policy that requires re-authorization, is closed.
How Consent Is Exercised
This attack vector has been around since OAuth became a standard. What has changed is the place it works. Users are trained to click on consent screens at the rate they have clicked on cookie banners. Every AI agent features Surface One. All production integration comes from one. Every browser extension that touches a SaaS account displays one. The volume of authorized authorizations seen by data workers per month exceeds anything that existed when the original OAuth threat models were written.
The scopes themselves use language that doesn’t show a clean map of risk. The scope called “Read your mail” sounds limited, but in practice it includes all messages, attachments, and shared threads that the user can access. A scope called “Access files when not present” means a long-lived token issued without the user being in front of the screen to revoke it. The gap between permission language and access to functionality is exactly where attackers operate.
Toxic Compound Form Below Applicant
A single OAuth permission gives an attacker an accessible location within a single application. Deeper risks arise when those areas hold a bridge.
A financial user gives an AI meeting summary access to their calendar and mailbox. The same user later gives the production assistant access to the company’s shared drive. The third grant connects the CRM enrichment tool to the customer database. Each was approved in time. No app owner has approved the combination. The risk area is now three intersecting scopes with one person’s ownership, where the agreement of the meeting summary can access the contract draft and customer records by the same person.
 |
| Figure 3: A toxic mix between two co-owned SaaS applications. |
MCP installation, OAuth authorization clicks, and browser extension support: each is a bridge released at the speed of one click. Model Context Protocol (MCP) servers are emerging as the next OAuth-style attack surface, allowing agents to access the scope by using common trust and authorization screens already in place.
The 2025 Salesloft-Drift incident showed what this looks like at scale. The vulnerable downstream connector spread to more than 700 Salesforce tenants via OAuth tokens that customers had authenticated. Each customer has approved the integration. No one approved the cascade.
What You Should Check Out
Closing this gap requires handling OAuth authorization in the same way a security system already handles authentication. A small set of questions reveals where the real gap resides.
|
A place worth reviewing |
How it looks in practice |
|
List of OAuth requests |
Every third-party application that holds renewal tokens on the tenant, is renewed continuously over the trial period. |
|
Give years and again agree |
Tokens that were issued more than 30 days ago without re-licensing, appear as a row. |
|
Ownership of different applications |
The managing ownership grants all three or more SaaS applications, marked for review. |
|
Agents and integration bridges |
AI agents and the integration of two systems no app owner is authorized together. |
|
Conditional access by permission |
Policies that trigger authorization events, not just login events. |
|
Token level withdrawal |
A playbook that revokes a single OAuth token rather than suspending the user. |
Procedural discipline only measures so far. Bridges live in a graph that no single system manages, and are created at the speed of MCP installations or OAuth authorization clicks. To see that graph further requires a platform built to view the runtime layer where the bridges are actually built.
Where AI Security Platforms Come In
The new forums section handles most of this automatically. They map all OAuth grants, AI agents, and third-party integrations to the identity graph at the time they are issued, rather than waiting for the next test, and then expose bridges, unused tokens, and policy deviations as a continuous workflow.
One prime example is Reco. It brings AI agent security, identity management, and threat detection into a single control plane. The Identity Knowledge Graph connects human and non-human identities to applications, OAuth grants, and integrations they can access across the SaaS environment.
 |
| Figure 4: Reco view of OAuth grants for AI agents and connected accounts. |
The platform continuously detects AI agents and OAuth grants as they arise, maps each location back to an authorized identity, monitors behavior for policy deviations, and revokes access at the token level rather than at the user account. That gives security teams visibility into the runtime layer where these trust relationships are built.
Consent phishing is unlikely to stay on the sidelines for long. Ensuring resistance to phishing is receiving years of investment and consideration, while the consent layer is still very much in trust. Closing that gap means handling OAuth grants and AI-agent connections with the same visibility, monitoring, and revocation discipline already used in their authentication.
Learn more about Reco’s AI security platform.
