{"id":387,"date":"2026-03-25T15:43:47","date_gmt":"2026-03-25T15:43:47","guid":{"rendered":"https:\/\/thedigitalfortress.us\/?p=387"},"modified":"2026-03-25T15:43:47","modified_gmt":"2026-03-25T15:43:47","slug":"device-code-phishing-hits-340-microsoft-365-orgs-across-five-countries-via-oauth-abuse","status":"publish","type":"post","link":"https:\/\/thedigitalfortress.us\/?p=387","title":{"rendered":"Device Code Phishing Hits 340+ Microsoft 365 Orgs Across Five Countries via OAuth Abuse"},"content":{"rendered":"<div id=\"articlebody\">\n<div class=\"separator\" style=\"clear: both;\"><a href=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEifvDHwUAT0Y5sILbpMYi15pftc8kD-oPKrtaUucJ0PLeFRnxKsA14uMC3zCpTPZwj0w7GBTqFQCMfmwzzy_tv-RYTVBijk_x2KWzKkS68n9QfolIhr2B3rSMTGJWg3qt9ZbTYWDiyHmKNT6yD47XPMyS2aj8DF_lyKGKKGWfIsohBlWJvjS_Z3j_XqMZQ\/s1700-e365\/ms-phish-kit.jpg\" style=\"display: block;  text-align: center; clear: left; float: left;\"><\/a><\/div>\n<p>Cybersecurity researchers are calling attention to an active device code phishing campaign that&#8217;s targeting Microsoft 365 identities across more than 340 organizations in the U.S., Canada, Australia, New Zealand, and Germany.<\/p>\n<p>The activity, per Huntress, was <a href=\"https:\/\/www.huntress.com\/blog\/railway-paas-m365-token-replay-campaign\" rel=\"noopener\" target=\"_blank\">first spotted<\/a> on February 19, 2026, with subsequent cases appearing at an accelerated pace since then. Notably, the campaign leverages Cloudflare Workers redirects with captured sessions redirected to infrastructure hosted on a platform-as-a-service (PaaS) offering called Railway, effectively turning it into a credential harvesting engine.<\/p>\n<p>Construction, non-profits, real estate, manufacturing, financial services, healthcare, legal, and government are some of the prominent sectors targeted as part of the campaign.\u00a0<\/p>\n<p>\u00abWhat also makes this campaign unusual is not just the device code phishing techniques involved, but the variety of techniques observed,\u00bb the company said. \u00abConstruction bid lures, landing page code generation, DocuSign impersonation, voicemail notifications, and abuse of Microsoft Forms pages are all hitting the same victim pool through the same Railway.com IP infrastructure.\u00bb<\/p>\n<p>Device code phishing refers to a technique that exploits the <a href=\"https:\/\/learn.microsoft.com\/en-us\/entra\/identity-platform\/v2-oauth2-device-code\" rel=\"noopener\" target=\"_blank\">OAuth device authorization flow<\/a> to grant the attacker persistent access tokens, which can then be used to seize control of victim accounts. What&#8217;s significant about this attack method is that the tokens remain valid even after the account&#8217;s password is reset.<\/p>\n<div class=\"dog_two clear\">\n<div class=\"cf\"><a href=\"https:\/\/thehackernews.uk\/not-fast-enough-d\" rel=\"nofollow noopener sponsored\" target=\"_blank\"><img loading=\"lazy\" decoding=\"async\" class=\"lazyload\" alt=\"Cybersecurity\" src=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEhlXM830ruQd2xT6M7JNeNRjaFa1onD12WjSCHihTFMTzbyfT9h-irPmXy_h3E1HGSs6sdv7FTmnyNVTM5kmSb7BuUtZe8gKoTQt99P1sSzRcqqXpOJP6eoAOhR3DGb6qHx9kOZ_HBZUMmVnsnd0DM7QfUp81bgzTvvgLww6oqB-EhnDfWXH5pWCYhAsyLs\/s728-e100\/tl-d.jpg\" width=\"729\" height=\"91\"\/><\/a><\/div>\n<\/div>\n<p>At a high level, the <a href=\"https:\/\/www.huntress.com\/blog\/oh-auth-2-0-device-code-phishing-in-google-cloud-and-azure\" rel=\"noopener\" target=\"_blank\">attack<\/a> works as follows &#8211;<\/p>\n<ul>\n<li>Threat actor requests a device code from the identity provider (e.g, Microsoft Entra ID) via the legitimate device code API.<\/li>\n<li>The service responds with a device code.<\/li>\n<li>Threat actor creates a persuasive email and sends it to the victim, urging them to visit a sign-in page (\u00abmicrosoft[.]com\/devicelogin\u00bb) and enter the device code.<\/li>\n<li>After the victim enters the provided code, along with their credentials and two-factor authentication (2FA) code, the service creates an access token and a refresh token for the user.<\/li>\n<\/ul>\n<p><a name=\"more\"\/><\/p>\n<p>\u00abOnce the user has fallen victim to the phish, their authentication generates a set of tokens that now live at the OAuth token API endpoint and can be retrieved by providing the correct device code,\u00bb Huntress explained. \u00abThe attacker, of course, knows the device code because it was generated by the initial cURL request to the device code login API.\u00bb<\/p>\n<p>\u00abAnd while that code is useless by itself, once the victim has been tricked into authenticating, the resulting tokens now belong to anyone who knows which device code was used in the original request.\u00bb<\/p>\n<p>The use of device code phishing was first observed by Microsoft and Volexity in February 2025, with subsequent waves documented by Amazon Threat Intelligence and Proofpoint. Multiple Russia-aligned groups tracked as Storm-2372, APT29, UTA0304, UTA0307, and UNK_AcademicFlare, have been attributed to these attacks.<\/p>\n<p>The technique is insidious, not least because it leverages legitimate Microsoft infrastructure to perform the device code authentication flow, thereby giving users no reason to suspect anything could be amiss.<\/p>\n<div class=\"separator\" style=\"clear: both;\"><a href=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEjuLn4vcy3nzM1vjAMcP7c_6MVrS7QlVg4yp_IRBiqYeTMmPU-dV_5K-l1s7y7CNsLoBn4RFX1VzGNhEvN6tIDGlYho3j2Nk6PxVipVh7j6XyK95P_IEDlbRQvohTRwm4Zka4WRRJB_el9nej0Vtet1HaFVKDLHid_h1noaszAVvKRmQ97x-CbYW83i0_E\/s1700-e365\/phish.jpg\" style=\"display: block;  text-align: center; clear: left; float: left;\"><img decoding=\"async\" src=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEjuLn4vcy3nzM1vjAMcP7c_6MVrS7QlVg4yp_IRBiqYeTMmPU-dV_5K-l1s7y7CNsLoBn4RFX1VzGNhEvN6tIDGlYho3j2Nk6PxVipVh7j6XyK95P_IEDlbRQvohTRwm4Zka4WRRJB_el9nej0Vtet1HaFVKDLHid_h1noaszAVvKRmQ97x-CbYW83i0_E\/s1700-e365\/phish.jpg\" alt=\"\" border=\"0\" data-original-height=\"855\" data-original-width=\"1285\"\/><\/a><\/div>\n<p>In the campaign detected by Huntress, the authentication abuse originates from a small cluster of Railway.com IP addresses, with three of them accounting for roughly 84% of observed events &#8211;<\/p>\n<ul>\n<li>162.220.234[.]41<\/li>\n<li>162.220.234[.]66\u00a0<\/li>\n<li>162.220.232[.]57<\/li>\n<li>162.220.232[.]99<\/li>\n<li>162.220.232[.]235<\/li>\n<\/ul>\n<p>The starting point of the attack is a phishing email that wraps malicious URLs within legitimate <a href=\"https:\/\/www.levelblue.com\/blogs\/spiderlabs-blog\/weaponizing-safe-links-abuse-of-multi-layered-url-rewriting-in-phishing-attacks\" rel=\"noopener\" target=\"_blank\">security vendor redirect services<\/a> from Cisco, Trend Micro, and Mimecast so as to bypass spam filters and trigger a multi-hop redirect chain featuring a combination of compromised sites, Cloudflare Workers, and Vercel as intermediaries before taking the victim to the final destination.<\/p>\n<p>\u00abThe observed landing sites prompt the victim to proceed to the legitimate Microsoft device code authentication endpoint and input a provided code in order to read some files,\u00bb Huntress said. \u00abThe code is rendered directly on the page when the victim arrives.\u00bb<\/p>\n<p>\u00abThis is an interesting iteration of the tactic, as, normally, the adversary must produce and then provide the code to the victim. By rendering the code directly on the page, likely by some code generation automation, the victim is immediately provided with the code and pretext for the attack.\u00bb<\/p>\n<p>The landing page also comes with a \u00abContinue to Microsoft\u00bb that, when clicked, spews a pop-up window rendering the legitimate Microsoft authentication endpoint (\u00abmicrosoft[.]com\/devicelogin\u00bb).<\/p>\n<div class=\"dog_two clear\">\n<div class=\"cf\"><a href=\"https:\/\/thehackernews.uk\/ciso-risk-comm-cert-li-d\" rel=\"nofollow noopener sponsored\" target=\"_blank\"><img loading=\"lazy\" decoding=\"async\" class=\"lazyload\" alt=\"Cybersecurity\" src=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEjoqpwvMkmQTpI6oFBcM5sjZJ4sJ2YplYYhb-ceY5aPYSXjkfcX-xHTDS-SMK3wzNy_kFuH4yN1umKPloMnloAmmRc5nXo64laMkM5neZzco95ZJXnRH-iV-6vAXRDv8vCSgWdcloM_rsNLykF6rlZbcXQ2n2fT-No23La_8rS67S8terJhozZU9JPmB9kO\/s728-e100\/ciso-light-d.png\" width=\"729\" height=\"91\"\/><\/a><\/div>\n<\/div>\n<p>Almost every device code phishing site has been hosted on a Cloudflare workers[.]dev instance, illustrating how the threat actors are weaponizing the trust associated with the service in enterprise environments to sidestep web content filters. To combat the threat, users are advised to scan sign-in logs to hunt for Railway IP logins, revoke all refresh tokens for affected users, and block authentication attempts from Railway infrastructure if possible.<\/p>\n<p>Huntress has since attributed the Railway attack to a new phishing-as-a-service (PhaaS) platform known as EvilTokens, which made its debut last month on Telegram. Besides advertising tools to send phishing emails and bypass spam filters, the EvilTokens dashboard provides customers with open redirect links to vulnerable domains to obscure the phishing links.<\/p>\n<p>\u00abIn addition to rapid growth in tool functionality, the EvilTokens team has spun up a full 24\/7 support team and a support feedback channel,\u00bb the company said. \u00abThey also have customer feedback.\u00bb<\/p>\n<p>The disclosure comes as Palo Alto Networks Unit 42 also <a href=\"https:\/\/github.com\/PaloAltoNetworks\/Unit42-timely-threat-intel\/blob\/main\/2026-03-23-%20Device-Code-based-OAuth-Phishing.txt\" rel=\"noopener\" target=\"_blank\">warned<\/a> of a similar device code phishing campaign, highlighting the attack&#8217;s use of anti-bot and anti-analysis techniques to fly under the radar, while exfiltrating browser cookies to the threat actor on page load. The earliest observation of the campaign dates back to February 18, 2026.<\/p>\n<p>The phishing page \u00abdisables right-click functionality, text selection, and drag operations,\u00bb the company said, adding it \u00abblocks keyboard shortcuts for developer tools (F12, Ctrl+Shift+I\/C\/J) and source viewing (Ctrl+U)\u00bb and \u00abdetects active developer tools by utilizing a window size heuristic, which subsequently initiates an infinite debugger loop.\u00bb<\/p>\n<div class=\"cf note-b\">Found this article interesting? <span class=\"\">This article is a contributed piece from one of our valued partners.<\/span> Follow us on <a href=\"https:\/\/news.google.com\/publications\/CAAqLQgKIidDQklTRndnTWFoTUtFWFJvWldoaFkydGxjbTVsZDNNdVkyOXRLQUFQAQ\" rel=\"noopener\" target=\"_blank\">Google News<\/a>, <a href=\"https:\/\/twitter.com\/thehackersnews\" rel=\"noopener\" target=\"_blank\">Twitter<\/a> and <a href=\"https:\/\/www.linkedin.com\/company\/thehackernews\/\" rel=\"noopener\" target=\"_blank\">LinkedIn<\/a> to read more exclusive content we post.<\/div>\n<\/div>\n<p><script async src=\"\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Cybersecurity researchers are calling attention to an active device code phishing campaign that&#8217;s targeting Microsoft 365 identities across more than 340 organizations in the U.S., Canada, Australia, New Zealand, and&hellip;<\/p>\n","protected":false},"author":1,"featured_media":388,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[383,10,8,539,825,147,381,882,390],"class_list":["post-387","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-uncategorized","tag-abuse","tag-code","tag-countries","tag-device","tag-hits","tag-microsoft","tag-oauth","tag-orgs","tag-phishing"],"_links":{"self":[{"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/posts\/387","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=387"}],"version-history":[{"count":0,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/posts\/387\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/media\/388"}],"wp:attachment":[{"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=387"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=387"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=387"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}