Cybersecurity researchers are calling attention to an active device code phishing campaign that now targets Microsoft 365 identities across more than 340 organizations in the U.S., Canada, Australia, New Zealand, and Germany.
According to Huntress, the team first spotted the activity on February 19, 2026; since then, cases have increased at an accelerated pace. Notably, the campaign leverages Cloudflare Workers redirects, while it routes captured sessions to infrastructure hosted on a platform-as-a-service (PaaS) offering called Railway—effectively turning it into a credential harvesting engine.
Furthermore, the attackers actively target a wide range of sectors, including construction, non-profits, real estate, manufacturing, financial services, healthcare, legal, and government.
“What also makes this campaign unusual is not just the device code phishing techniques involved, but the variety of techniques observed,” the company said. “Construction bid lures, landing page code generation, DocuSign impersonation, voicemail notifications, and abuse of Microsoft Forms pages are all hitting the same victim pool through the same Railway.com IP infrastructure.”
How Device Code Phishing Works
In essence, device code phishing exploits the OAuth device authorization flow to grant attackers persistent access tokens, which then allow them to seize control of victim accounts. More importantly, these tokens remain valid even after users reset their passwords.
At a high level, the attack works as follows:
- First, the threat actor requests a device code from the identity provider (e.g., Microsoft Entra ID) via the legitimate device code API.
- Next, the service responds with a device code.
- Then, the threat actor crafts a persuasive email and sends it to the victim, urging them to visit a sign-in page (“microsoft[.]com/devicelogin”) and enter the device code.
- After that, the victim enters the provided code along with their credentials and two-factor authentication (2FA) code, prompting the service to generate an access token and a refresh token.
“Once the user has fallen victim to the phish, their authentication generates a set of tokens that now live at the OAuth token API endpoint and can be retrieved by providing the correct device code,” Huntress explained. “The attacker, of course, knows the device code because it was generated by the initial cURL request to the device code login API.”
“And while that code is useless by itself, once the victim has been tricked into authenticating, the resulting tokens now belong to anyone who knows which device code was used in the original request.”
Previously, researchers observed the use of device code phishing in February 2025, when multiple security teams began documenting similar activity. Since then, analysts have linked several Russia-aligned groups—Storm-2372, APT29, UTA0304, UTA0307, and UNK_AcademicFlare—to these attacks.
Notably, attackers rely on legitimate Microsoft infrastructure to execute the device code authentication flow, which significantly reduces user suspicion and increases success rates.
Railway Infrastructure and Attack Entry Point
In the campaign detected by Huntress, attackers launch authentication abuse from a small cluster of Railway.com IP addresses, with three of them accounting for roughly 84% of observed events:
- 162.220.234[.]41
- 162.220.234[.]66
- 162.220.232[.]57
- 162.220.232[.]99
- 162.220.232[.]235
At the same time, the attack begins with a phishing email that wraps malicious URLs within legitimate security vendor redirect services from Cisco, Trend Micro, and Mimecast. As a result, attackers bypass spam filters and trigger a multi-hop redirect chain involving compromised sites, Cloudflare Workers, and Vercel before ultimately delivering the victim to the final destination.
Subsequently, the observed landing pages prompt victims to proceed to the legitimate Microsoft device code authentication endpoint and input a provided code.
“The observed landing sites prompt the victim to proceed to the legitimate Microsoft device code authentication endpoint and input a provided code in order to read some files,” Huntress said. “The code is rendered directly on the page when the victim arrives.”
“This is an interesting iteration of the tactic, as, normally, the adversary must produce and then provide the code to the victim. By rendering the code directly on the page, likely by some code generation automation, the victim is immediately provided with the code and pretext for the attack.”
Additionally, the landing page includes a “Continue to Microsoft” button that opens a pop-up window displaying the legitimate authentication endpoint (“microsoft[.]com/devicelogin”).
Abuse of Trusted Services and Mitigation Measures
Almost every device code phishing site operates on a Cloudflare workers[.]dev instance, Highlighting how attackers weaponize trusted services in enterprise environments to bypass web content filters.
To mitigate the threat, organizations should:
- Scan sign-in logs for Railway IP logins
- Revoke all refresh tokens for affected users
- Block authentication attempts from Railway infrastructure whenever possible
Rise of Phishing-as-a-Service: EvilTokens
Meanwhile, Huntress has attributed the campaign to a Phishing-as-a-service (PhaaS) platform known as EvilTokens, which debuted last month on Telegram. In addition to offering tools for sending Phishing emails and Bypassing spam filters, the platform provides open Redirect links to obscure Malicious URLs.
“In addition to rapid growth in tool functionality, the EvilTokens team has spun up a full 24/7 support team and a support feedback channel,” the company said. “They also have customer feedback.”
Finally, researchers have identified a similar campaign that incorporates Anti-bot and Anti-analysis techniques to evade Detection while Exfiltrating browser cookies upon page load. The earliest observation of this activity dates back to February 18, 2026.
The Phishing page “disables right-click functionality, text selection, and drag operations,” the company said, adding it “blocks keyboard Shortcuts for developer tools (F12, Ctrl+Shift+I/C/J) and source viewing (Ctrl+U)” and “detects active developer tools by Utilizing a window size Heuristic, which subsequently initiates an Infinite Debugger loop.”
Source: TheHackerNews
Read more at Impreza News
