> TritonInfoSec News
Home / May 20, 2026 / Story
0
#9 The Hacker News general May 19, 2026 at 11:30 UTC

The New Phishing Click: How OAuth Consent Bypasses MFA

By [email protected] (The Hacker News)

AI Summary

A phishing-as-a-service platform called EvilTokens, launched in February 2026, compromised more than 340 Microsoft 365 organizations across five countries within five weeks by exploiting OAuth device code flow to bypass MFA. Victims were tricked into entering a short code at microsoft.com/devicelogin, completing their normal MFA challenge while unknowingly granting the attacker a persistent OAuth token. Security teams should audit conditional access policies for device code flow restrictions and monitor for anomalous OAuth consent grants.

Read full article → https://thehackernews.com/2026/05/the-new-phishing…

Relevance score: 78.0/100

# More from May 20

  1. 1
    GitHub Investigating TeamPCP Claimed Breach of ~4,000 Internal Repositories The Hacker News
  2. 2
    Verizon DBIR 2026: Vulnerability Exploitation Overtakes Credential Theft as Top Breach Vector SecurityWeek
  3. 3
    Cybercrime service disrupted for abusing Microsoft platform to sign malware BleepingComputer
  4. 4
    In stunning display of stupid, secret CISA credentials found in public GitHub repo Ars Technica Security
  5. 5
    New Shai-Hulud malware wave compromises 600 npm packages BleepingComputer
  6. 6
    Max-severity flaw in ChromaDB for AI apps allows server hijacking BleepingComputer
  7. 7
    Drupal to Release Urgent Core Security Updates on May 20, Sites Told to Prepare The Hacker News
  8. 8
    DirtyDecrypt PoC Released for Linux Kernel CVE-2026-31635 LPE Vulnerability The Hacker News
  9. 10
    GitHub Actions Supply Chain Attack Redirects Tags to Steal CI/CD Credentials The Hacker News