Device Code Phishing Hits 340+ Microsoft 365 Orgs in 5 Countries

An active device code phishing campaign has compromised Microsoft 365 identities across more than 340 organizations in five countries, leveraging OAuth authentication flows to bypass multi-factor authentication. Security researchers at Huntress first identified the campaign on February 19, 2026, with activity accelerating since.

The operation targets organizations in the United States, Canada, Australia, New Zealand, and Germany, hitting construction, non-profits, real estate, manufacturing, financial services, healthcare, legal, and government sectors.

How Device Code Phishing Works

Device code authentication exists for legitimate scenarios—smart TVs, IoT devices, and other systems without full keyboards need a way to authenticate users. The flow works by displaying a code that users enter on a separate device (typically their phone or computer) at microsoft.com/devicelogin.

Attackers abuse this by:

1. Requesting a device code from Microsoft Entra ID via the legitimate API
2. Sending phishing emails directing victims to the real Microsoft device login page
3. Convincing victims to enter the attacker-provided code
4. Capturing the resulting access and refresh tokens

Because victims authenticate on Microsoft's actual infrastructure and complete their real MFA prompts, the attack bypasses traditional phishing protections that flag lookalike domains. The tokens generated grant the attacker persistent access even after password resets.

EvilTokens: A New PhaaS Platform

Huntress attributed the Railway-based attack infrastructure to EvilTokens, a phishing-as-a-service (PhaaS) platform that debuted on Telegram in March 2026. The platform provides aspiring attackers with ready-made tooling for device code phishing without requiring technical expertise.

The Tycoon 2FA takedown we covered last week disrupted one major PhaaS operation, but EvilTokens demonstrates how quickly the ecosystem regenerates. New platforms emerge to fill enforcement gaps almost immediately.

Attack Infrastructure

The campaign uses a sophisticated redirect chain to evade detection:

• Landing sites: Cloudflare Workers
• Intermediaries: Vercel and compromised legitimate websites
• Final payload: Railway.com infrastructure for credential harvesting
• Trust enhancement: Routing through security vendor services (Cisco, Trend Micro, Mimecast) to appear legitimate

Huntress identified several Railway IP addresses associated with the campaign:

• 162.220.234[.]41
• 162.220.234[.]66
• 162.220.232[.]57
• 162.220.232[.]99
• 162.220.232[.]235

Organizations should consider blocking these addresses and monitoring for authentication attempts from Railway infrastructure.

Lure Variations

The threat actors employ multiple social engineering themes:

• Construction bid requests
• DocuSign impersonation
• Voicemail notification alerts
• Microsoft Forms abuse
• Landing page code generation prompts

This variety suggests either multiple operator groups using the same platform or deliberate A/B testing to optimize conversion rates across industries.

Russian Attribution

Multiple security vendors have linked device code phishing campaigns to Russia-aligned threat actors including Storm-2372, APT29 (Cozy Bear), UTA0304, UTA0307, and UNK_AcademicFlare. The targeting pattern and infrastructure choices align with previous Russian operations focused on government and critical infrastructure access.

Palo Alto Networks Unit 42 noted the campaign employs anti-analysis techniques including disabled right-click functionality, developer tool blocking, and debugger detection loops—sophistication that suggests nation-state resources rather than commodity crime.

Detection and Response

If your organization may have been targeted:

1. Scan sign-in logs for authentications from the Railway IP addresses listed above
2. Revoke all refresh tokens for any affected user accounts immediately
3. Block authentication attempts from Railway infrastructure at the conditional access policy level
4. Monitor for token abuse patterns indicating persistent access
5. Review browser cookie access since the campaign exfiltrates cookies on page load

The persistent token problem requires specific attention. Unlike password-based compromises where changing credentials revokes access, OAuth tokens remain valid until explicitly revoked. Organizations must audit token grants and implement continuous access evaluation where possible.

Why This Matters

Device code phishing represents a fundamental challenge because it exploits legitimate authentication infrastructure. Users aren't visiting fake websites—they're authenticating on real Microsoft pages. The attack works precisely because MFA functions as designed.

Microsoft has attempted mitigation through conditional access policies that restrict device code flows, but many organizations haven't enabled these controls. The OAuth abuse patterns we've tracked show that token-based attacks will likely intensify as password-only compromises become less valuable.

For organizations facing elevated phishing risk, reviewing our practical phishing defense examples can help train users to recognize suspicious authentication requests before they complete the OAuth flow.