Notifications
Clear all
Topic starter
27/06/2026 1:17 pm
TL;DR: A phishing-as-a-service platform is using legitimate Microsoft sign-in flows to steal OAuth tokens instead of passwords, then turning that access into persistent business email compromise, according to Abnormal AI. The core problem is that traditional credential-harvesting controls assume a fake login page or stolen password, while token theft preserves legitimate authentication context and defeats those assumptions.
NHIMG editorial — here’s why we think this discussion matters
By the numbers:
- 91% of former employee tokens remain active after offboarding, leaving organisations vulnerable to potential security breaches.
Questions worth separating out
Q: How should security teams handle OAuth token theft in phishing campaigns?
A: Security teams should treat OAuth token theft as account compromise, not just phishing.
Q: Why do OAuth tokens create more risk than stolen passwords?
A: OAuth tokens can preserve access without exposing the password, which means the attacker may keep working after a reset.
Practitioner guidance
- Inventory OAuth-issued access paths Map which SaaS applications, mail platforms, and collaboration tools accept tokens as persistent access.
- Shorten the lifetime of high-risk tokens Apply tighter lifetimes and explicit re-authentication for sensitive workflows, especially where email, messaging, or admin actions are involved.
- Monitor for token provenance anomalies Look for access that originates from unusual device context, impossible travel, repeated consent prompts, or token use that does not match the user’s normal mail and app behaviour.
What to expect at the briefing
Abnormal AI's full webinar covers the operational detail this post intentionally leaves for the source:
- Live demonstration of how EvilTokens captures OAuth tokens during a legitimate Microsoft sign-in flow
- Behavioural detection patterns for token-theft phishing that do not rely on fake login page indicators
- Practical discussion of what security teams can monitor when token reuse persists across email and connected SaaS
- The webinar framing around AI-enabled BEC automation and how that changes analyst and response workflows
👉 Watch Abnormal AI's webinar on EvilTokens and OAuth token theft →
OAuth token theft and BEC: are your controls keeping up?
Explore further
27/06/2026 2:34 pm
Token theft breaks the assumption that phishing is a password problem. This pattern works because many security programmes still equate account compromise with stolen credentials on a fake page. Here, the victim authenticates legitimately and the attacker steals the access artefact instead. The practitioner implication is that authentication assurance must extend beyond the login screen and into token lifecycle governance.
A few things that frame the scale:
- 91% of former employee tokens remain active after offboarding, leaving organisations vulnerable to potential security breaches, according to The 2025 State of NHIs and Secrets in Cybersecurity.
- 62% of all secrets are duplicated and stored in multiple locations, causing unnecessary redundancy and increasing the risk of accidental exposure.
A question worth separating out:
Q: Who is accountable when a stolen token is reused for business email compromise?
A: Accountability usually spans identity, email security, and SaaS owners because the compromise sits at the boundary between authentication and delegated access. Organisations should assign explicit ownership for token revocation, consent monitoring, and session invalidation so a valid token cannot become an indefinite trust grant.
👉 Read our full editorial: EvilTokens shows OAuth token theft is bypassing password-based defenses
