Device Code Phishing Hits 340+ Microsoft 365 Orgs Across Five Countries via OAuth Abuse

Summary

Cybersecurity researchers have identified an active device code phishing campaign exploiting OAuth's device authorization flow to target over 340 Microsoft 365 organizations in the U.S., Canada, Australia, New Zealand, and Germany. The attackers use Cloudflare Workers redirects and Railway.com infrastructure to harvest credentials and generate persistent access tokens that remain valid even after password resets. The campaign, attributed to a new phishing-as-a-service platform called EvilTokens, employs diverse social engineering tactics including construction bid lures, DocuSign impersonation, and Microsoft Forms abuse across multiple business sectors.

Full text

Device Code Phishing Hits 340+ Microsoft 365 Orgs Across Five Countries via OAuth Abuse The Hacker NewsMar 25, 2026Identity Security / Threat Intelligence Cybersecurity researchers are calling attention to an active device code phishing campaign that's targeting Microsoft 365 identities across more than 340 organizations in the U.S., Canada, Australia, New Zealand, and Germany. The activity, per Huntress, was first spotted on February 19, 2026, with subsequent cases appearing at an accelerated pace since then. Notably, the campaign leverages Cloudflare Workers redirects with captured sessions redirected to infrastructure hosted on a platform-as-a-service (PaaS) offering called Railway, effectively turning it into a credential harvesting engine. Construction, non-profits, real estate, manufacturing, financial services, healthcare, legal, and government are some of the prominent sectors targeted as part of the campaign. "What also makes this campaign unusual is not just the device code phishing techniques involved, but the variety of techniques observed," the company said. "Construction bid lures, landing page code generation, DocuSign impersonation, voicemail notifications, and abuse of Microsoft Forms pages are all hitting the same victim pool through the same Railway.com IP infrastructure." Device code phishing refers to a technique that exploits the OAuth device authorization flow to grant the attacker persistent access tokens, which can then be used to seize control of victim accounts. What's significant about this attack method is that the tokens remain valid even after the account's password is reset. At a high level, the attack works as follows - Threat actor requests a device code from the identity provider (e.g, Microsoft Entra ID) via the legitimate device code API. The service responds with a device code. Threat actor creates a persuasive email and sends it to the victim, urging them to visit a sign-in page ("microsoft[.]com/devicelogin") and enter the device code. After the victim enters the provided code, along with their credentials and two-factor authentication (2FA) code, the service creates an access token and a refresh token for the user. "Once the user has fallen victim to the phish, their authentication generates a set of tokens that now live at the OAuth token API endpoint and can be retrieved by providing the correct device code," Huntress explained. "The attacker, of course, knows the device code because it was generated by the initial cURL request to the device code login API." "And while that code is useless by itself, once the victim has been tricked into authenticating, the resulting tokens now belong to anyone who knows which device code was used in the original request." The use of device code phishing was first observed by Microsoft and Volexity in February 2025, with subsequent waves documented by Amazon Threat Intelligence and Proofpoint. Multiple Russia-aligned groups tracked as Storm-2372, APT29, UTA0304, UTA0307, and UNK_AcademicFlare, have been attributed to these attacks. The technique is insidious, not least because it leverages legitimate Microsoft infrastructure to perform the device code authentication flow, thereby giving users no reason to suspect anything could be amiss. In the campaign detected by Huntress, the authentication abuse originates from a small cluster of Railway.com IP addresses, with three of them accounting for roughly 84% of observed events - 162.220.234[.]41 162.220.234[.]66 162.220.232[.]57 162.220.232[.]99 162.220.232[.]235 The starting point of the attack is a phishing email that wraps malicious URLs within legitimate security vendor redirect services from Cisco, Trend Micro, and Mimecast so as to bypass spam filters and trigger a multi-hop redirect chain featuring a combination of compromised sites, Cloudflare Workers, and Vercel as intermediaries before taking the victim to the final destination. "The observed landing sites prompt the victim to proceed to the legitimate Microsoft device code authentication endpoint and input a provided code in order to read some files," Huntress said. "The code is rendered directly on the page when the victim arrives." "This is an interesting iteration of the tactic, as, normally, the adversary must produce and then provide the code to the victim. By rendering the code directly on the page, likely by some code generation automation, the victim is immediately provided with the code and pretext for the attack." The landing page also comes with a "Continue to Microsoft" that, when clicked, spews a pop-up window rendering the legitimate Microsoft authentication endpoint ("microsoft[.]com/devicelogin"). Almost every device code phishing site has been hosted on a Cloudflare workers[.]dev instance, illustrating how the threat actors are weaponizing the trust associated with the service in enterprise environments to sidestep web content filters. To combat the threat, users are advised to scan sign-in logs to hunt for Railway IP logins, revoke all refresh tokens for affected users, and block authentication attempts from Railway infrastructure if possible. Huntress has since attributed the Railway attack to a new phishing-as-a-service (PhaaS) platform known as EvilTokens, which made its debut last month on Telegram. Besides advertising tools to send phishing emails and bypass spam filters, the EvilTokens dashboard provides customers with open redirect links to vulnerable domains to obscure the phishing links. "In addition to rapid growth in tool functionality, the EvilToken team has spun up a full 24/7 support team and a support feedback channel," the company said. "They also have customer feedback." The disclosure comes as Palo Alto Networks Unit 42 also warned of a similar device code phishing campaign, highlighting the attack's use of anti-bot and anti-analysis techniques to fly under the radar, while exfiltrating browser cookies to the threat actor on page load. The earliest observation of the campaign dates back to February 18, 2026. The phishing page "disables right-click functionality, text selection, and drag operations," the company said, adding it "blocks keyboard shortcuts for developer tools (F12, Ctrl+Shift+I/C/J) and source viewing (Ctrl+U)" and "detects active developer tools by utilizing a window size heuristic, which subsequently initiates an infinite debugger loop." Found this article interesting? This article is a contributed piece from one of our valued partners. Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post. SHARE     Tweet Share Share Share SHARE  CloudFlare, cybersecurity, email security, Identity Security, Malware, Microsoft 365, OAuth, Phishing, Threat Intelligence Trending News FortiGate Devices Exploited to Breach Networks and Steal Service Account Credentials Microsoft Patches 84 Flaws in March Patch Tuesday, Including Two Public Zero-Days Critical n8n Flaws Allow Remote Code Execution and Exposure of Stored Credentials Six Android Malware Families Target Pix Payments, Banking Apps, and Crypto Wallets Apple Issues Security Updates for Older iOS Devices Targeted by Coruna WebKit Exploit ThreatsDay Bulletin: OAuth Trap, EDR Killer, Signal Phishing, Zombie ZIP, AI Platform Hack and More Veeam Patches 7 Critical Backup and Replication Flaws Allowing Remote Code Execution Nine CrackArmor Flaws in Linux AppArmor Enable Root Escalation, Bypass Container Isolation Google Fixes Two Chrome Zero-Days Exploited in the Wild Affecting Skia and V8 Chinese Hackers Target Southeast Asian Militaries with AppleChris and MemFun Malware Meta to Shut Down Instagram End-to-End Encrypted Chat Support Starting May 2026 Android 17 Blocks Non-Accessibility Apps from Accessibility API to Prevent Malware Abuse OpenClaw AI Agent Flaws Could Enable Prompt Injection and Data Exfiltration ⚡ Weekly Recap: Chrome 0-Days, Router Botnets, AWS Breach, Rogue AI Agents and More CISA Flags Actively Exploited Wing FTP Vulner

Indicators of Compromise

• ip — 162.220.234.41
• ip — 162.220.234.66
• ip — 162.220.232.57
• ip — 162.220.232.99
• ip — 162.220.232.235
• malware — EvilTokens
• mitre_attack — T1110.004
• mitre_attack — T1598.003