EvilTokens shows OAuth token theft is bypassing password-based defenses

At a glance

What this is: EvilTokens is a phishing-as-a-service operation that steals OAuth tokens through real Microsoft login flows and converts them into persistent BEC access.

Why it matters: IAM and security teams need to treat token theft as an access problem, because password-centric controls and phishing detections do not fully cover OAuth abuse across human and machine identity programmes.

By the numbers:

• 91% of former employee tokens remain active after offboarding, leaving organisations vulnerable to potential security breaches.

👉 Watch Abnormal AI's webinar on EvilTokens and OAuth token theft

Context

EvilTokens is a token-theft phishing operation, not a password-grab campaign. The attacker’s advantage is simple: users authenticate on real Microsoft infrastructure, so the login flow looks legitimate while OAuth tokens are captured for reuse.

For identity teams, that matters because OAuth tokens are access artefacts, not just login artefacts. Once captured, they can preserve session access, evade password resets, and create a long-lived foothold across email and connected applications, which is exactly where human IAM and NHI governance start to overlap.

The article’s central lesson is that conventional phishing controls are tuned to detect fake credential pages and stolen passwords. That model misses attacks that weaponise legitimate identity workflows and turn granted access into an operational business email compromise toolkit.

Key questions

Q: How should security teams handle OAuth token theft in phishing campaigns?

A: Security teams should treat OAuth token theft as account compromise, not just phishing. Focus on revocation, token lifetime, delegated scope review, and anomalous token use across mail and SaaS. Password resets alone will not stop a bearer token that remains valid until it is explicitly revoked.

Q: Why do OAuth tokens create more risk than stolen passwords?

A: OAuth tokens can preserve access without exposing the password, which means the attacker may keep working after a reset. They also authorise connected services, so one stolen token can reach more than one application. That makes token governance and revocation timing central to reducing blast radius.

Q: What breaks when phishing controls focus only on fake login pages?

A: Controls tuned only for fake pages miss attacks that use legitimate authentication flows. The user signs in normally, the platform captures the resulting token, and security tools see a valid login instead of obvious credential harvesting. Teams need token-aware detection and session monitoring to close that gap.

Q: Who is accountable when a stolen token is reused for business email compromise?

A: Accountability usually spans identity, email security, and SaaS owners because the compromise sits at the boundary between authentication and delegated access. Organisations should assign explicit ownership for token revocation, consent monitoring, and session invalidation so a valid token cannot become an indefinite trust grant.

Background and context

OAuth token theft through legitimate login flows

OAuth tokens are bearer credentials issued after successful authentication, which means the attacker does not need to steal a password if they can capture the token instead. In this pattern, the victim completes a genuine Microsoft sign-in flow, and the malicious platform intercepts the resulting token for later use. Because the login occurs on trusted infrastructure, many classic phishing controls see normal authentication rather than malicious credential harvesting. The security failure is not just the theft itself, but the fact that token-based access can survive password resets and continue to authorise downstream services until it is explicitly revoked.

Practical implication: treat token issuance and revocation as first-class governance events, not just password hygiene.

Why token reuse creates persistent BEC access

A stolen OAuth token can behave like a reusable access grant, allowing the attacker to continue operating in mail, collaboration, and connected SaaS apps without repeated user interaction. That persistence is why token theft is attractive for business email compromise: the actor can observe, reply, forward, and abuse trust inside real user workflows. The attack surface expands further when tokens are accepted across multiple services or when access review processes do not check for anomalous token provenance. Traditional mailbox security alone is not enough if the identity layer itself remains valid.

Practical implication: monitor token age, scope, and unusual session patterns alongside mail security telemetry.

AI automation in phishing-as-a-service

Abnormal AI describes EvilTokens as using AI to automate BEC at scale, which changes the threat model from one-off phishing to higher-volume, adaptive abuse. The important point is not the label itself, but the operational effect: AI can help vary lures, manage conversations, and accelerate follow-on abuse once access is obtained. That still does not make the identity autonomous in the strict sense. The identity primitive here remains a non-human access token, with AI serving as an attack amplifier rather than an independently acting identity subject.

Practical implication: separate AI-enabled attack automation from autonomous identity governance when defining controls and ownership.

NHI Mgmt Group analysis

Token theft breaks the assumption that phishing is a password problem. This pattern works because many security programmes still equate account compromise with stolen credentials on a fake page. Here, the victim authenticates legitimately and the attacker steals the access artefact instead. The practitioner implication is that authentication assurance must extend beyond the login screen and into token lifecycle governance.

OAuth tokens have become an identity blast radius, not just a session mechanism. Once captured, a token can preserve access across email and integrated SaaS services, which means one successful capture can expose multiple operational channels. That is why token scope, token age, and revocation latency matter as much as login success rate. Teams should treat broad token reach as a governance problem, not a point-control problem.

AI-assisted phishing increases the volume and adaptability of token abuse, but the access model remains the core issue. Automation can accelerate lure generation, conversation handling, and post-compromise actions, yet the real weakness is still permissive identity trust. That makes this a human IAM and NHI overlap case, because the human signs in while the token behaves like a non-human credential. Practitioners need controls that recognise both sides of that trust chain.

Vendor email ecosystems are now identity systems whether security teams model them that way or not. Business email compromise is no longer only a messaging threat. It is an access-control failure that exploits identity assertions, delegated permissions, and trust in connected applications. The implication is that email security, IAM, and SaaS governance need a shared view of token state and session legitimacy.

OAuth token abuse is a lifecycle failure when access outlives the user action that created it. Tokens were designed for delegated access within a bounded trust relationship. That assumption fails when the token becomes a persistent attack asset after the original authentication event. The implication is that access review models built around passwords and user accounts miss the real revocation point.

From our research:

• 91% of former employee tokens remain active after offboarding, leaving organisations vulnerable to potential security breaches, according to The 2025 State of NHIs and Secrets in Cybersecurity.
• 62% of all secrets are duplicated and stored in multiple locations, causing unnecessary redundancy and increasing the risk of accidental exposure.
• For teams building a lifecycle response: 52 NHI Breaches Analysis shows how exposed credentials, weak offboarding, and persistence failures keep reappearing in real incidents.

What this signals

Token governance is becoming a shared control plane for IAM and email security. When a stolen OAuth token can survive password resets, the operational question shifts from account recovery to trust invalidation. Teams that still separate mailbox controls from identity controls will miss the part of the attack where the bearer credential becomes the real persistence mechanism.

Ephemeral access does not help if revocation is not observable. The programme signal is straightforward: identity teams need proof that token issuance, consent, and revocation events are being monitored as actively as logins. Without that visibility, access reviews remain a paper exercise while active tokens continue to authorise abuse.

Identity blast radius is now a practical programme metric. With 91% of former employee tokens remaining active after offboarding, the issue is not theoretical sprawl but ongoing trust debt. Readers should expect token lifecycle control to move from niche NHI practice into mainstream IAM governance.

For practitioners

• Inventory OAuth-issued access paths Map which SaaS applications, mail platforms, and collaboration tools accept tokens as persistent access. Include delegated scopes, refresh behaviour, and revocation ownership so security teams know where token abuse can survive a password reset.
• Shorten the lifetime of high-risk tokens Apply tighter lifetimes and explicit re-authentication for sensitive workflows, especially where email, messaging, or admin actions are involved. Align expiry with business risk rather than default platform settings.
• Monitor for token provenance anomalies Look for access that originates from unusual device context, impossible travel, repeated consent prompts, or token use that does not match the user’s normal mail and app behaviour. Token reuse often appears legitimate at first glance, so the signal must be behavioural.
• Revoke stale delegated access on a fixed review cadence Tie offboarding and access certification to OAuth grants, not only to user accounts. The 91% active former-employee token problem shows why revocation needs to be explicit, verified, and repeated.

Key takeaways

• EvilTokens shows that modern phishing can bypass password-centric thinking by stealing OAuth tokens through legitimate login flows.
• The scale problem is lifecycle-related, because a captured token can preserve access long after the original authentication event has ended.
• The practical control shift is toward token-aware monitoring, tighter delegated access, and explicit revocation ownership across IAM and SaaS teams.

Key terms

• OAuth Token: A token is a bearer credential issued after authentication that can be used to access services without resubmitting a password. In practice, it acts like delegated proof of access, so theft of the token can be as damaging as theft of the account itself if revocation is delayed or incomplete.
• Business Email Compromise: Business email compromise is the abuse of trusted email access to impersonate users, redirect payments, exfiltrate messages, or manipulate internal workflows. It often begins with identity compromise rather than mailbox exploitation, which is why identity and mail controls must be analysed together.
• Delegated Access: Delegated access is permission granted to one identity or application to act within the scope of another identity’s authority. It is essential for modern SaaS integrations, but it also expands the attack surface when tokens, consent grants, or refresh logic are over-permissive or poorly monitored.
• Token Revocation: Token revocation is the act of invalidating an issued credential so it can no longer be used to authenticate or authorise access. It is a lifecycle control, not just an incident-response step, and it must be visible, fast, and tied to ownership if it is to reduce persistent compromise.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.

This post draws on content published by Abnormal AI: Inside EvilTokens, the PhaaS Platform Stealing Tokens, Not Passwords. Read the original.