EvilTokens: Phishing-as-a-Service Bypasses Two-Factor Authentication on Microsoft 36517. June 2026CybersecurityEvilTokens exploits OAuth 2.0 device flows to compromise 2FA-protected Microsoft 365 accounts by tricking users into authorizing devices. Share on: