The campaign centres on what security specialists call device code phishing, a technique that turns a genuine Microsoft login feature into a trap. The feature was designed for devices such as smart televisions, printers and terminals that cannot easily complete a normal browser sign-in. Attackers generate a valid device code, lure a target to a convincing phishing page, and persuade that user to enter the code on Microsoft’s legitimate device login page. Once the target approves the request, the attackers receive valid access and refresh tokens, giving them account access without having to steal a password in the traditional way.
That distinction matters because it means the attackers are not exploiting a software flaw in Microsoft 365 itself. Microsoft said in earlier guidance on device code phishing that these attacks do not reflect a vulnerability in its code base, but rather the misuse of an industry-standard authentication flow. Even so, the effect for victims can be severe. Access tokens allow immediate entry into cloud resources, while refresh tokens can extend access for weeks, enabling email theft, internal reconnaissance and, in some cases, wider business email compromise activity.
Researchers at Huntress, which disclosed the latest campaign, said the activity spread sharply from a small number of incidents in late February to a much broader wave by March 2, cutting across sectors from law firms and construction businesses to healthcare, finance, manufacturing, nonprofits and public-sector bodies. CyberScoop reported Huntress believed the victims identified so far could represent only a fraction of the true total, suggesting the global footprint may be larger than the confirmed list.
Part of what has unsettled defenders is the way the infrastructure blends in with normal cloud traffic. Huntress said the campaign made heavy use of Railway, a platform-as-a-service provider better known for helping developers deploy applications quickly. Because Railway’s internet addresses belong to a legitimate cloud service, sign-ins originating from those systems may not immediately appear suspicious in automated risk scoring. Huntress described the platform as a “clean” token-harvesting engine from a defender’s perspective, giving attackers a way to stand up and rotate phishing infrastructure with unusual speed.
Railway told CyberScoop it was first contacted on March 6 about phishing traffic linked to a specific IP address and three domains, and said the associated accounts were banned and the domains blocked. A company engineer added that the firm’s anti-abuse systems are designed to detect repeated patterns such as shared payment details, code sources and overlapping infrastructure, but that a campaign avoiding those signals can travel further before it is stopped. That response points to a wider problem across cloud services: low-friction development platforms can become equally low-friction tools for cybercrime when identity checks and abuse controls lag behind attacker adaptation.
Huntress later tied the Railway-linked activity to a phishing-as-a-service operation known as EvilTokens, which it said was advertised publicly in mid-February on Telegram channels. According to Huntress, the service offered customers tools branded as a “B2B Sender”, an “Office 365 Capture Link” and an “SMTP Sender”, alongside features aimed at tailoring lures and evading email filtering. That commercialisation is significant. It suggests the barrier to mounting advanced Microsoft 365 phishing operations is falling, with criminal operators packaging infrastructure, templates and support into rentable services.
The campaign also shows how identity attacks are evolving beyond the older narrative that MFA alone is enough. Microsoft has repeatedly warned over the past year that device code phishing and adversary-in-the-middle techniques can undermine authentication flows that are not phishing-resistant. In its guidance this month on large-scale phishing operations and earlier research into the Storm-2372 campaign, Microsoft urged organisations to move towards phishing-resistant authentication methods such as FIDO2 security keys, passkeys and Windows Hello for Business, while blocking device code flow where it is not required.
Also published on Medium.
Follow Arabian Post
Select Arabian Post as your preferred source on Google and MSN News for trusted business news and Arab politics and updates.
