EvilTokens: A phishing attack that doesn't steal your password

EvilTokens is a phishing-as-a-service kit that compromises Microsoft 365 accounts by abusing the OAuth 2.0 device authorization grant flow. The attack bypasses fake login pages and password theft, instead tricking victims into completing legitimate authentication including two-factor authentication on a real Microsoft login page.