Ethical Hacking News
A recent device code phishing campaign has targeted Microsoft 365 identities across five countries, with over 340 organizations affected. The attackers are leveraging Cloudflare Workers redirects and Railway to exploit legitimate infrastructure for credential harvesting. Users are advised to scan sign-in logs, revoke refresh tokens, and block authentication attempts from Railway infrastructure to combat this threat.
The active device code phishing campaign has targeted over 340 organizations across five countries.The attackers are using Cloudflare Workers redirects to capture sessions and redirect them to Railway's PaaS offering, turning it into a credential harvesting engine.The attack exploits the OAuth device authorization flow to grant persistent access tokens that remain valid even after a password reset.The phishing campaign was first spotted in February 2026 and has escalated in pace since then.Multiple Russia-aligned groups have been attributed to these attacks, including Storm-2372, APT29, UTA0304, UTA0307, and UNK_AcademicFlare.The campaign uses anti-bot and anti-analysis techniques to evade detection while exfiltrating browser cookies on page load.
Device code phishing has become a significant threat to Microsoft 365 identities, with a recent campaign targeting over 340 organizations across five countries. According to cybersecurity researchers at Huntress, the active device code phishing campaign was first spotted on February 19, 2026, and since then, it has escalated in pace.
The attackers are leveraging Cloudflare Workers redirects, capturing sessions, and redirecting them to infrastructure hosted on a platform-as-a-service (PaaS) offering called Railway. This effectively turns Railway into a credential harvesting engine. The campaign is targeting various sectors, including construction, non-profits, real estate, manufacturing, financial services, healthcare, legal, and government.
The device code phishing technique exploits the OAuth device authorization flow to grant the attacker persistent access tokens. These tokens remain valid even after the account's password is reset, allowing the attackers to seize control of victim accounts. The attack method works as follows:
* Threat actor requests a device code from the identity provider (e.g., Microsoft Entra ID) via the legitimate device code API.
* The service responds with a device code.
* Threat actor creates a persuasive email and sends it to the victim, urging them to visit a sign-in page ("microsoft[.]com/devicelogin") and enter the device code.
* After the victim enters the provided code along with their credentials and two-factor authentication (2FA) code, the service generates an access token and a refresh token for the user.
* Once the user has fallen victim to the phish, their authentication generates a set of tokens that now live at the OAuth token API endpoint. These can be retrieved by providing the correct device code.
The use of device code phishing was first observed by Microsoft and Volexity in February 2025, with subsequent waves documented by Amazon Threat Intelligence and Proofpoint. Multiple Russia-aligned groups have been attributed to these attacks, including Storm-2372, APT29, UTA0304, UTA0307, and UNK_AcademicFlare.
The campaign detected by Huntress originated from a small cluster of Railway.com IP addresses, with three of them accounting for roughly 84% of observed events. The starting point of the attack is a phishing email that wraps malicious URLs within legitimate security vendor redirect services from Cisco, Trend Micro, and Mimecast to bypass spam filters and trigger a multi-hop redirect chain.
The landing sites prompt the victim to proceed to the legitimate Microsoft device code authentication endpoint and input a provided code in order to read some files. The code is rendered directly on the page when the victim arrives. This iteration of the tactic is interesting as, normally, the adversary must produce and then provide the code to the victim.
The landing page also comes with a "Continue to Microsoft" that, when clicked, spews a pop-up window rendering the legitimate Microsoft authentication endpoint ("microsoft[.]com/devicelogin").
Huntress has since attributed the Railway attack to a new phishing-as-a-service (PhaaS) platform known as EvilTokens, which made its debut last month on Telegram. Besides advertising tools to send phishing emails and bypass spam filters, the EvilTokens dashboard provides customers with open redirect links to vulnerable domains to obscure the phishing links.
To combat this threat, users are advised to scan sign-in logs to hunt for Railway IP logins, revoke all refresh tokens for affected users, and block authentication attempts from Railway infrastructure if possible. The disclosure comes as Palo Alto Networks Unit 42 also warned of a similar device code phishing campaign, highlighting the attack's use of anti-bot and anti-analysis techniques to fly under the radar while exfiltrating browser cookies to the threat actor on page load.
The earliest observation of the campaign dates back to February 18, 2026. The phishing page disables right-click functionality, text selection, and drag operations and blocks keyboard shortcuts for developer tools (F12, Ctrl+Shift+I/C/J) and source viewing (Ctrl+U).
Related Information:
https://www.ethicalhackingnews.com/articles/Device-Code-Phishing-Campaign-A-Threat-to-Microsoft-365-Identities-Across-Five-Countries-ehn.shtml
https://thehackernews.com/2026/03/device-code-phishing-hits-340-microsoft.html
https://malwaretips.com/threads/device-code-phishing-hits-340-microsoft-365-orgs-across-five-countries-via-oauth-abuse.140490/
https://en.wikipedia.org/wiki/Cozy_Bear
https://attack.mitre.org/groups/G0016/
https://www.volexity.com/blog/2025/02/13/multiple-russian-threat-actors-targeting-microsoft-device-code-authentication/
https://cybersecuritynews.com/multiple-russian-actors-attacking-orgs-to-hack-microsoft-365-accounts/
https://www.uctoday.com/collaboration/russian-hackers-use-microsoft-teams-to-phish-365-accounts/
https://www.volexity.com/blog/tag/uta0307/
https://www.microsoft.com/en-us/security/blog/2025/02/13/storm-2372-conducts-device-code-phishing-campaign/
https://cybersecuritynews.com/new-device-code-phishing-attack-exploit-device-code-authentication/
Published: Wed Mar 25 08:13:21 2026 by llama3.2 3B Q4_K_M
