The New Phishing Click: How OAuth Consent Bypasses MFA

This article describes the emergence and impact of consent phishing (OAuth grant abuse), highlighting a PhaaS named EvilTokens that compromised 340+ Microsoft 365 tenants by tricking users into granting OAuth scopes and obtaining refresh tokens that bypass MFA and survive password resets. It explains how consent screens and AI/third-party integrations normalize excessive privileges, creates cross-application 'toxic combinations', and recommends continuous OAuth-grant visibility, token-level revocation, re-consent policies, and specialized AI-security platforms to mitigate the risk.