my photo

John Z Black

Brunswick, ME • (207) 245-1010 • contact@johnzblack.com

Your MFA Isn't Enough. (And Most Places Don't Even Have That.)

John Z Black Mar 29, 2026 Incidents & Breaches #mfa #phishing #oauth #device-code-phishing #microsoft365 #passwordless #azure #authentication #identity-security

Here’s how the attack works: you get a message asking you to authenticate a device. You click through to a real Microsoft login page. You enter your credentials. You complete your MFA challenge. Everything looks normal. But somewhere in the redirect chain, an attacker fed you a poisoned OAuth device code, and when you authenticated, you handed them a valid access token. No malware. No exploit. Just a standard OAuth flow, weaponized.

Huntress flagged this campaign in February 2026. Within weeks it had hit more than 340 organizations across five countries. Cloudflare Workers handle the redirect obfuscation. Railway PaaS hosts the credential harvesting backend. Both are legitimate platforms. The traffic looks clean. A Phishing-as-a-Service operation called EvilTokens is the suspected engine running this at scale.

The reason your MFA didn’t save you: you actually completed a real authentication step. The MFA challenge was genuine. You just didn’t know the device code you were authorizing wasn’t yours. Standard MFA defenses assume the attacker wants your password. This attack doesn’t need it. It needs your session token, and the OAuth flow hands it over willingly. Worse, those tokens persist. Resetting your password won’t revoke them. Re-enrolling in MFA won’t revoke them. Most incident response playbooks don’t account for this. A lot of organizations are going to miss it.

And that’s assuming organizations have meaningful MFA in the first place. The HYPR “2026 State of Passwordless Identity Assurance” report found that 76% of organizations are still using legacy passwords as their primary authentication method. Only 43% have deployed any passwordless authentication. 71% say they’re planning to. The gap between “we intend to” and “we actually did” is 28 percentage points wide.

Microsoft forced the issue for Azure and M365 admins, mandating MFA with no exceptions as of early 2026. That’s a real forcing function for that perimeter. But it’s one perimeter. It doesn’t cover on-premises systems, legacy VPNs, vendor portals, or the dozens of SaaS apps running on credentials that haven’t been touched since 2019. That’s where most of the organization actually lives.

The authentication problem in 2026 has three layers: attacks got smarter, defenses haven’t deployed, and enforcement only reached part of the picture. Token revocation after an MFA bypass incident isn’t optional. It’s the whole remediation. Make sure your team knows that.

Get the full breakdown of device code phishing and what to actually do about it