Last Update: 04/05/2026 at 2:50 PM EST
OAuth Flaws Drive Token Theft
Coverage from BleepingComputer and others
Articles
4
Latest Article
04/04
Active Days
45
Executive Summary
Attackers abuse OAuth redirect and device-code flows to steal Microsoft tokens, hijack accounts, and bypass phishing defenses
- Attackers abuse OAuth redirect handling to send victims to malicious pages
- Campaigns target government and public-sector users with phishing and fake authorization prompts
- Malicious OAuth apps and attacker redirects can force silent error-based redirects
- Some attacks use EvilProxy-style frameworks to steal session cookies and bypass MFA
- Device-code phishing surged 37.5x, driven by kits like EvilTokens
- EvilTokens is sold on Telegram and uses realistic SaaS-themed lures
- Captured access and refresh tokens can expose email, files, Teams, and SSO apps
Quick Facts
- What: OAuth abuse steals tokens and bypasses account protections
- Where: Microsoft Entra accounts and connected SaaS services
- Why: To hijack accounts and access data without passwords
- Who: Microsoft researchers, Push Security, Sekoia, and threat actors
- When: In recent campaigns across 2024 and 2025
Coverage Timeline: 45 Days
Featured Article
Push Security and Sekoia reported increased device code phishing in 2024, where OAuth 2.0 Device Authorization Grant abuse leads to account takeover via approved tokens.
Additional Articles
⭐⭐⭐⭐⭐
Government and public sector users targeted by phishing campaigns using oauth redirects to attacker controlled infrastructure recently to access data.
⭐⭐⭐
Threat actors used device-code phishing and vishing in 2020s campaigns to abuse Microsoft OAuth device authorization and access Microsoft Entra accounts across corporate environments.
Sekoia reports EvilTokens device code phishing abuses OAuth 2.0 to steal Microsoft access and refresh tokens, enabling business email compromise across multiple countries.