EvilTokens PhaaS Campaign Bypasses MFA at Scale Across 344 Organizations in 16 Days

Security researchers at Huntress have identified a highly automated Phishing-as-a-Service operation dubbed EvilTokens, which has successfully bypassed multi-factor authentication at scale by exploiting OAuth 2.0 device authorization flows. The campaign targeted at least 344 organizations over a 16-day window, representing a significant escalation in the sophistication and efficiency of credential-harvesting operations available to cybercriminals.

The attack chain centers on device code phishing, a technique that tricks users into approving authentication tokens on attacker-controlled devices rather than revealing passwords directly. EvilTokens automates this process through a PhaaS platform sold via Telegram, which handles device code generation and routes traffic through Platform-as-a-Service providers like Railway to avoid blocklists. The system leverages artificial intelligence to customize phishing lures based on victims' workflows, increasing the likelihood of successful token theft without triggering traditional security filters.

The campaign underscores a critical vulnerability in widely deployed authentication methods. Traditional phishing defenses fail against attacks that harvest valid session tokens because they never require the victim's password or OTP. Security researchers recommend deploying FIDO2/passkey authentication and behavior-based detection mechanisms as critical mitigations against this evolving threat vector. The speed and automation demonstrated by EvilTokens signals that MFA bypass capabilities have become commoditized, lowering the barrier for less sophisticated threat actors to conduct high-impact credential attacks.