Cybersecurity researchers are calling attention to an active device code phishing campaign targeting Microsoft 365 IDs across more than 340 organizations in the United States, Canada, Australia, New Zealand, and Germany.
According to Huntress, this activity was first discovered on February 19, 2026, and subsequent cases have been occurring at an accelerated pace since then. Specifically, the campaign leverages Cloudflare Workers redirection to redirect captured sessions to infrastructure hosted on a platform-as-a-service (PaaS) product called Railway, effectively turning it into a credential harvesting engine.
Construction, nonprofit, real estate, manufacturing, financial services, healthcare, legal, and government are some of the prominent sectors targeted as part of the campaign.
“What also makes this campaign unusual is not only the device code phishing techniques involved, but also the diversity of techniques observed,” the company said. “Construction bid solicitation, landing page code generation, DocuSign spoofing, voicemail notifications, and Microsoft Forms page abuse all hit the same set of victims through the same Railway.com IP infrastructure.”
Device code phishing refers to a technique that can be used to exploit the OAuth device authentication flow to grant an attacker a persistent access token and take control of a victim account. The key to this attack method is that the token remains valid even after the account password is reset.
Broadly speaking, the attack works as follows.
Threat actors request device code from an identity provider (such as Microsoft Entra ID) through a legitimate device code API. The service responds with a device code. Threat actors create and send persuasive emails to victims, inviting them to visit a sign-in page (“Microsoft”).[.]com/devicelogin”) and enter the device code. Once the victim enters the provided code, along with their credentials and two-factor authentication (2FA) code, the service creates an access and refresh token for the user.
“When a user falls victim to a phishing attack, their authentication generates a series of tokens that reside in the OAuth token API endpoint and can be retrieved by providing the correct device code,” Huntress explained. “Of course, the attacker knows the device code because it was generated by the initial cURL request to the device code login API.”
“And while the code itself is useless, once the victim is tricked into authenticating, the resulting token belongs to the person who knows which device code was used in the original request.”
The use of device code phishing was first observed by Microsoft and Volexity in February 2025, with subsequent waves documented by Amazon Threat Intelligence and Proofpoint. Multiple Russian-linked groups tracked as Storm-2372, APT29, UTA0304, UTA0307, and UNK_AcademicFlare are believed to be responsible for these attacks.
This technique is insidious, especially since it leverages legitimate Microsoft infrastructure to perform the device code authentication flow, leaving the user with no doubt that something is wrong.
In the campaigns detected by Huntress, the authentication abuse originated from a small cluster of Railway.com IP addresses, three of which accounted for approximately 84% of the observed events.
162.220.234[.]41 162.220.234[.]66 162.220.232[.]57 162.220.232[.]99 162.220.232[.]235
The starting point for the attack is a phishing email that wraps a malicious URL inside a legitimate security vendor redirect service from Cisco, Trend Micro, and Mimecast. This bypasses spam filters and triggers a multi-hop redirect chain that combines the compromised site, Cloudflare workers, and Vercel as intermediaries before reaching the victim’s final destination.
“The observed landing site prompts the victim to proceed to a legitimate Microsoft device code authentication endpoint and enter the provided code to read some files,” Huntress said. “When the victim arrives, the code will be displayed directly on the page.”
“This is an interesting iteration of this tactic. Typically, an adversary would have to create code and provide it to the victim. Displaying the code directly on the page, perhaps through automated code generation, instantly provides the victim with the code and excuse for the attack.”
The landing page also includes “Continue to Microsoft,” which, when clicked, displays a pop-up window displaying the genuine Microsoft authentication endpoint (“microsoft”).[.]com/devicelogin”).
Almost all device code phishing sites are hosted on Cloudflare workers[.]dev instance. It shows how threat actors can weaponize the trust associated with services in an enterprise environment to evade web content filters. To combat this threat, users are encouraged to scan sign-in logs for rail IP logins, revoke all refresh tokens for affected users, and block authentication attempts from rail infrastructure if possible.
Huntress then attributed the rail attack to a new phishing-as-a-service (PhaaS) platform known as EvilTokens that debuted on Telegram last month. In addition to advertising tools to send phishing emails and bypass spam filters, the EvilTokens dashboard provides customers with open redirect links to vulnerable domains to make phishing links less visible.
“In addition to rapid growth in tool functionality, the EvilToken team has launched a full 24/7 support team and support feedback channels,” the company said. “We also have customer feedback.”
The disclosure also comes as Palo Alto Networks’ Unit 42 warns of a similar device code phishing campaign, highlighting that this attack flies under the radar and uses anti-bot and anti-analytics techniques while stealing browser cookies on page load to threat actors. The oldest observation of this campaign dates back to February 18, 2026.
The company said the phishing page “disables right-click functionality, text selection, and drag operations,” “blocks developer tools keyboard shortcuts (F12, Ctrl+Shift+I/C/J) and view source (Ctrl+U),” and “utilizes window size heuristics to detect active developer tools and then initiates an infinite debugger loop.”
Source link
