Device Code Phishing Campaign Targets Over 340 Microsoft 365 Organizations Across Five Countries
Cybersecurity experts have raised alarms over a sophisticated device code phishing campaign that has compromised Microsoft 365 identities across more than 340 organizations in the United States, Canada, Australia, New Zealand, and Germany. This alarming trend, first identified on February 19, 2026, by Huntress, has accelerated rapidly, employing advanced techniques to harvest credentials effectively.
Campaign Overview and Methodology
The campaign utilizes Cloudflare Workers to redirect captured sessions to infrastructure hosted on a platform-as-a-service (PaaS) offering called Railway. This method transforms Railway into a credential harvesting engine, allowing attackers to exploit the OAuth device authorization flow. This flow grants attackers persistent access tokens that remain valid even after a victim’s password is reset, significantly increasing the risk of account takeover.
Targeted sectors include construction, non-profits, real estate, manufacturing, financial services, healthcare, legal, and government. The diversity of techniques employed in this campaign is particularly noteworthy. According to Huntress, the attackers have used various lures, including construction bid notifications, DocuSign impersonation, voicemail alerts, and the exploitation of Microsoft Forms pages, all directed at the same victim pool through Railway’s IP infrastructure.
Technical Mechanics of the Attack
Device code phishing exploits the OAuth device authorization flow, allowing attackers to gain unauthorized access to victim accounts. The attack proceeds as follows:
- The attacker requests a device code from the identity provider, such as Microsoft Entra ID, via the legitimate device code API.
- The service responds with a device code.
- The attacker sends a convincing email to the victim, urging them to visit a sign-in page (e.g., “microsoft[.]com/devicelogin”) and enter the device code.
- Once the victim inputs the code along with their credentials and two-factor authentication (2FA) code, the service generates an access token and a refresh token.
Once the victim authenticates, their session generates a set of tokens that can be retrieved by anyone who knows the device code used in the original request. This method is particularly insidious because it leverages legitimate Microsoft infrastructure, making it difficult for users to detect malicious activity.
Historical Context and Attribution
The use of device code phishing techniques was first documented by Microsoft and Volexity in February 2025. Subsequent waves of attacks have been attributed to multiple Russia-aligned groups, including Storm-2372, APT29, UTA0304, UTA0307, and UNK_AcademicFlare. These groups have demonstrated a pattern of exploiting legitimate services to bypass security measures, making their attacks more effective.
Infrastructure and Phishing Techniques
The campaign’s authentication abuse primarily originates from a small cluster of Railway.com IP addresses, with three specific addresses accounting for approximately 84% of observed events. The identified IPs include:
- 162.220.234.41
- 162.220.234.66
- 162.220.232.57
The phishing emails often contain malicious URLs disguised within legitimate security vendor redirect services from companies like Cisco, Trend Micro, and Mimecast. This tactic allows attackers to bypass spam filters and initiate a multi-hop redirect chain, utilizing compromised sites, Cloudflare Workers, and Vercel as intermediaries before directing victims to the final phishing destination.
Upon reaching the landing page, victims are prompted to enter a device code to access files. The code is rendered directly on the page, a notable evolution in phishing tactics that eliminates the need for attackers to manually provide the code. This automation enhances the efficiency of the attack and increases the likelihood of victim compliance.
Mitigation Strategies and Recommendations
To combat this emerging threat, cybersecurity experts recommend that organizations take proactive measures. Users should regularly scan sign-in logs for any logins originating from Railway IP addresses, revoke all refresh tokens for affected accounts, and block authentication attempts from Railway infrastructure whenever possible.
Huntress has linked the Railway attack to a new phishing-as-a-service (PhaaS) platform known as EvilTokens, which emerged recently on Telegram. This platform not only offers tools for sending phishing emails and bypassing spam filters but also provides customers with open redirect links to obscure phishing links. The rapid expansion of EvilTokens’ functionality, coupled with a dedicated support team, underscores the growing sophistication of phishing operations.
Broader Implications and Future Outlook
The recent warnings from Palo Alto Networks Unit 42 regarding similar device code phishing campaigns highlight the evolving nature of these threats. These attacks employ advanced anti-bot and anti-analysis techniques to evade detection while exfiltrating sensitive browser cookies upon page load. The earliest observations of this related campaign date back to February 18, 2026, indicating a broader trend of increasing sophistication in phishing tactics.
Phishing pages have been observed disabling right-click functionality, text selection, and drag operations, as well as blocking keyboard shortcuts for developer tools. These measures aim to prevent victims from recognizing the malicious nature of the site, further complicating detection efforts.
For more information on this evolving threat landscape, refer to the reporting on the situation by the Hacker News here.
For the latest cybersecurity developments, threat intelligence, and breaking updates from across the Middle East: Middle East.
