An extensive Microsoft 365 phishing campaign abusing the OAuth device code flow has impacted more than 340 organizations across the United States, Canada, Australia, New Zealand, and Germany. According to Huntress, malicious activity was first detected on 19 February 2026 and has since scaled steadily, leveraging cloud infrastructure to automate large-scale credential and token theft.
Scope of the Microsoft 365 Device Code Phishing Attacks
The campaign targets organizations in a wide range of sectors, including construction, non-profit, property development and real estate, manufacturing, financial services, healthcare, legal firms, and government entities. This diversity indicates an opportunistic focus on access to corporate email and cloud data, rather than a narrow industry-specific objective.
Attackers are actively abusing Cloudflare Workers to route traffic and relying on the PaaS provider Railway as a back-end platform for credential harvesting. Huntress reports that a small cluster of Railway IP addresses is responsible for most activity, with approximately 84% of observed events linked to only three IPs, simplifying detection for defenders who know what to look for.
What Is OAuth Device Code Phishing and Why Is It So Dangerous?
Device code phishing exploits the legitimate OAuth device authorization flow, originally designed for devices that cannot easily display a full login page, such as smart TVs or IoT appliances. The user is shown a short device code and instructed to enter it on a trusted domain such as microsoft[.]com/devicelogin.
The critical risk is that the attacker, not the victim, controls the underlying OAuth request. Once the user enters the code and approves access, the adversary receives long-lived OAuth access and refresh tokens tied to the victim’s Microsoft 365 account. These tokens often remain valid even after a password reset, enabling persistent, passwordless access to email, OneDrive, SharePoint, and other cloud resources.
Similar device code phishing techniques were documented by Microsoft and Volexity in early 2025, with subsequent activity reported by Amazon Threat Intelligence and Proofpoint. Several campaigns have been associated with Russia-linked threat groups such as Storm-2372, APT29, UTA0304, UTA0307, and UNK_AcademicFlare, underlining the growing interest of advanced attackers in token-based compromises.
Attack Chain: From Email to Stolen Microsoft 365 OAuth Tokens
Abusing Cloudflare Workers, Railway, and Trusted Redirects
The attack begins with a phishing email that conceals the malicious URL behind redirect services operated by well-known security vendors such as Cisco, Trend Micro, and Mimecast. Because these redirectors are widely trusted and frequently whitelisted, they help the message bypass spam filters and build credibility with end users.
Clicking the link triggers a redirection sequence through compromised websites, Cloudflare Workers, and platforms such as Vercel, culminating in a final device code phishing landing page. These pages are tailored to realistic business scenarios: construction tenders, DocuSign-style document signing, voicemail notifications, or Microsoft Forms alerts.
In every case, the user is prompted to “view files” or “access documents” and is presented with a pre-generated device code directly on the page. This detail indicates server-side automation and lowers friction for victims, who do not need to initiate any login flow themselves.
A “Continue to Microsoft” button then opens a pop-up window pointing to the legitimate microsoft[.]com/devicelogin endpoint. Authentication occurs entirely on Microsoft infrastructure, so the browser address bar and TLS certificate appear genuine. When the victim enters the device code, it binds their account’s tokens to an OAuth request that the attacker already initiated via API, silently granting the adversary long-term access.
Nearly all observed device code phishing pages are hosted on workers[.]dev domains, showing how threat actors exploit the inherent trust in Cloudflare’s ecosystem to evade corporate web filtering and traffic inspection.
EvilTokens: Phishing-as-a-Service Driving Industrialized Cloud Account Theft
Huntress links the Railway-based infrastructure to a new phishing-as-a-service (PhaaS) platform known as EvilTokens. Launched via Telegram in the past month, EvilTokens offers customers ready-made tooling to run campaigns: phishing email distribution, spam filter evasion, and centralized management via a web dashboard.
The service also supplies open-redirect links on vulnerable domains, adding another obfuscation layer to disguise malicious URLs. Notably, EvilTokens advertises 24/7 support and feedback channels, illustrating the continued professionalization of cybercrime, where advanced phishing capabilities are commoditized and sold to less skilled actors.
Advanced Evasion: Anti-Bot, Anti-Analysis, and Researcher Countermeasures
In parallel, researchers from Unit 42 (Palo Alto Networks) reported a related device code phishing operation first observed on 18 February 2026. These pages incorporate a comprehensive set of anti-bot and anti-analysis techniques, and silently exfiltrate browser cookies to attackers when the page loads, increasing the potential impact.
The phishing sites block right-click, text selection, drag-and-drop, and keyboard shortcuts commonly used to open developer tools or view HTML source (including F12, Ctrl+Shift+I/C/J, and Ctrl+U). They also detect active DevTools by monitoring browser window dimensions; when analysis is suspected, the scripts trigger an infinite debugger loop, disrupting both human investigators and automated scanners.
For organizations relying on Microsoft 365, defenders are advised to review sign-in logs for authentications from Railway IP ranges, revoke all refresh tokens for impacted users, and, where feasible, block authentication attempts from Railway infrastructure. Equally important is security awareness: employees should be trained to treat unexpected requests to enter a device code with caution and to confirm the context, even when the login page is hosted on a legitimate Microsoft domain.
Given the rapid growth of PhaaS platforms and the sophistication of token-focused phishing, organizations should strengthen governance around OAuth applications, implement conditional access policies (for example, enforcing strong MFA and device compliance checks), and continuously monitor for anomalous sign-in patterns, unusual OAuth consent, and atypical token usage. Combined with regular user training, these measures significantly reduce the likelihood of successful token compromise and long-term cloud account takeover.
