In March 2026, cybersecurity researchers uncovered two major threat campaigns that demonstrate how attackers are evolving their techniques to bypass traditional defenses. Notably, one campaign exploited Microsoft’s OAuth authentication flow to silently compromise enterprise accounts, while another targeted macOS users—especially developers working with AI tools—using the AMOS infostealer.

To begin with, the EvilTokens campaign marks a significant shift in phishing strategies. Instead of stealing passwords through fake login pages, attackers now manipulate Microsoft’s OAuth 2.0 Device Code flow. Originally designed for devices with limited input capabilities, such as smart TVs, this legitimate authentication method has become a powerful attack vector.

The attack process remains deceptively simple yet highly effective. Victims receive phishing emails instructing them to enter a device verification code on a genuine Microsoft login page. Once users authenticate and complete multi-factor authentication (MFA), Microsoft unknowingly issues OAuth access and refresh tokens directly to the attacker. As a result, MFA protections become ineffective, and traditional phishing detection systems fail because users never interact with a fake website.

Security analysts from ANY.RUN identified more than 180 phishing URLs linked to EvilTokens activity within a single week. Furthermore, the campaign heavily targeted sectors such as Technology, Education, Manufacturing, and Government, with a strong focus on organizations in the United States and India. Adding to the concern, EvilTokens operates as a Phishing-as-a-Service (PhaaS) platform, offering automation, reconnaissance tools, email harvesting, and AI-powered capabilities via Telegram.

In more advanced scenarios, attackers use stolen refresh tokens to register rogue devices in Microsoft Entra ID. Subsequently, they request a Primary Refresh Token (PRT), which grants persistent access to Microsoft 365 environments while bypassing MFA entirely.

Ad Banner

Meanwhile, a parallel campaign has emerged targeting macOS systems, particularly developers using AI coding platforms. Attackers leveraged Google Ads to redirect users searching for tools like Claude Code, Grok, and others to fake documentation pages. These pages then trick users into executing malicious terminal commands—a tactic known as ClickFix.

Once executed, the attack unfolds in multiple stages. Initially, the system downloads an encoded script in the background. Then, the AMOS infostealer collects browser credentials, saved passwords, macOS Keychain data, and sensitive files. Additionally, attackers deploy a backdoor through the ~/.mainhelper module, enabling persistent remote access via a fully interactive reverse shell.

This updated backdoor represents a serious escalation. Previously limited in capability, it now allows attackers to maintain real-time control over infected systems. Consequently, enterprise environments face severe risks, especially since developers often have privileged access to internal systems, repositories, and cloud infrastructure.

Moreover, the multi-stage design of the attack deliberately fragments detection signals. By spreading malicious activity across several stages, attackers reduce the likelihood of immediate detection, delaying incident response efforts.

To mitigate these threats, organizations should actively monitor Microsoft Entra ID logs for suspicious device authentication attempts. They should also enforce Conditional Access policies and regularly rotate OAuth tokens. Similarly, for macOS environments, security teams must block unsigned scripts, monitor WebSocket connections, and deploy advanced endpoint detection solutions.

Ultimately, both campaigns reveal a broader cybersecurity trend in March 2026. Attackers increasingly exploit trusted platforms—such as legitimate Microsoft pages, Google Ads, and authentic-looking documentation—to evade detection and accelerate compromise before security teams can respond effectively.

Recommended Cyber Technology News:

To participate in our interviews, please write to our CyberTech Media Room at info@intentamplify.com  



🔒 Login or Register to continue reading