A widespread device code phishing campaign is actively targeting Microsoft 365 identities in more than 340 organizations across the U.S., Canada, Australia, New Zealand, and Germany.
According to Huntress researchers, the campaign was first observed on February 19, 2026, and has accelerated since. The threat actors exploit Cloudflare Workers redirects combined with Railway.com PaaS infrastructure to turn legitimate authentication flows into credential-harvesting mechanisms.
Targeted Sectors
Industries impacted include:
- Construction
- Non-profits
- Real estate
- Manufacturing
- Financial services
- Healthcare
- Legal and government
This campaign combines multiple attack vectors, including construction bid lures, DocuSign impersonation, voicemail notifications, and abuse of Microsoft Forms, all hosted through the same Railway.com IP infrastructure.
How Device Code Phishing Works
Device code phishing abuses the OAuth device authorization flow, allowing attackers to obtain persistent access tokens even if the user later resets their password.
Attack flow:
- Attacker requests a device code from Microsoft Entra ID via the legitimate API.
- Microsoft responds with a device code.
- Attacker sends a phishing email urging the victim to visit
microsoft[.]com/deviceloginand enter the device code. - The victim provides their credentials and 2FA code, generating access and refresh tokens.
- The attacker, knowing the original device code, retrieves the tokens from the OAuth API endpoint.
Huntress noted: “While the device code itself is useless, once the victim authenticates, the resulting tokens are fully controlled by the attacker.”
Attribution and Observations
Device code phishing was first seen by Microsoft and Volexity in February 2025, with later waves tracked by Amazon Threat Intelligence and Proofpoint. Groups aligned with Russia—Storm-2372, APT29, UTA0304, UTA0307, and UNK_AcademicFlare—have been linked to these campaigns.
Railway IPs observed in the campaign include:
- 162.220.234[.]41
- 162.220.234[.]66
- 162.220.232[.]57
- 162.220.232[.]99
- 162.220.232[.]235
The phishing emails leverage multi-hop redirects through compromised sites and trusted security vendor links (Cisco, Trend Micro, Mimecast) to bypass spam filters.
Landing Page Techniques
Victims are directed to pages that:
- Generate device codes automatically on arrival
- Display a “Continue to Microsoft” button linking to
microsoft[.]com/devicelogin - Disable right-click, text selection, drag operations, and developer tools shortcuts (F12, Ctrl+Shift+I/C/J, Ctrl+U)
- Detect active dev tools using window-size heuristics and trigger infinite debugger loops
Platform and PhaaS Attribution
Huntress has linked the attack to a phishing-as-a-service (PhaaS) platform called EvilTokens, which debuted on Telegram last month. EvilTokens provides:
- Tools to craft phishing emails that bypass spam filters
- Open redirect links hosted on vulnerable domains
- 24/7 customer support and feedback channels
Palo Alto Networks Unit 42 corroborated similar device code phishing activity, emphasizing the campaign’s anti-bot and anti-analysis mechanisms, along with browser cookie exfiltration on page load.
Found this article interesting? Follow us on X (Twitter) , Facebook, Blue sky and LinkedIn to read more exclusive content we post.
