Microsoft 365: Phishing Campaign Bypasses MFA by Exploiting the OAuth Protocol


This text was generated using artificial intelligence (AI).Update July 8, 2026: In addition, an advanced variant of the attack has been identified that uses AES-GCM-encrypted HTML landing pages and is decrypted exclusively within the victim’s browser („Ghost Code“ technique). This method makes detection by security solutions significantly more difficult. See below for details.

A phishing campaign that specifically targets Microsoft 365 accounts has been observed since at least April 2026. Cisco Talos published a comprehensive analysis of this campaign on June 30, 2026. Attackers are exploiting a legitimate feature—the OAuth 2.0 Device Authorization Grant Flow – to bypass multi-factor authentication (MFA) and gain access to corporate data. The campaign uses the Phishing-as-a-Service (PhaaS) kit ARToken, which, according to Cisco Talos, is an affiliate or customer of the EvilTokens-platform and shares its infrastructure and API contracts.