Device Code Phishing Hits 340+ Microsoft 365 Orgs Across Five Countries via OAuth Abuse
#Security

Device Code Phishing Hits 340+ Microsoft 365 Orgs Across Five Countries via OAuth Abuse

Security Reporter
3 min read

A sophisticated phishing campaign leveraging device code authentication has compromised over 340 Microsoft 365 organizations across five countries, using legitimate OAuth flows to bypass security controls and maintain persistent access even after password resets.

Cybersecurity researchers are warning about an active device code phishing campaign that has compromised more than 340 Microsoft 365 organizations across the United States, Canada, Australia, New Zealand, and Germany. The campaign, first spotted by Huntress on February 19, 2026, has rapidly expanded and targets organizations across construction, non-profits, real estate, manufacturing, financial services, healthcare, legal, and government sectors.

What makes this campaign particularly concerning is its sophisticated use of legitimate Microsoft infrastructure to bypass traditional security controls. The attackers exploit the OAuth device authorization flow, a legitimate authentication method typically used for devices without web browsers, to gain persistent access to victim accounts.

How Device Code Phishing Works

The attack exploits a legitimate Microsoft authentication endpoint (microsoft[.]com/devicelogin) through a multi-step process:

  1. The attacker requests a device code from Microsoft Entra ID via the legitimate device code API
  2. A phishing email is sent to victims containing a link to the Microsoft device code page
  3. Victims are prompted to enter a provided device code along with their credentials and 2FA
  4. Microsoft generates access and refresh tokens for the attacker
  5. These tokens remain valid even after the victim changes their password

The persistence of refresh tokens is what makes this technique so dangerous. Even if victims reset their passwords, the attacker retains access through the valid tokens until they expire or are explicitly revoked.

Infrastructure and Delivery Methods

The campaign uses a sophisticated infrastructure that includes:

  • Railway PaaS hosting: Three IP addresses (162.220.234.41, 162.220.234.66, 162.220.232.57) account for 84% of observed events
  • Cloudflare Workers redirects: Used to obscure the attack chain and leverage trusted domains
  • Multi-hop redirect chains: Involving compromised sites, Vercel, and other intermediaries
  • Open redirect abuse: Malicious URLs wrapped in legitimate security vendor redirect services from Cisco, Trend Micro, and Mimecast

Attackers have automated much of the process, including rendering device codes directly on landing pages to eliminate the need for manual code delivery. The landing pages mimic legitimate Microsoft interfaces and include "Continue to Microsoft" buttons that open authentic authentication pop-ups.

Attribution and Context

Huntress has attributed this campaign to a new phishing-as-a-service (PhaaS) platform called EvilTokens, which launched last month on Telegram. EvilTokens provides customers with phishing tools, email sending capabilities, spam filter bypass techniques, and open redirect links to vulnerable domains.

The device code phishing technique itself was first documented by Microsoft and Volexity in February 2025 and has since been adopted by multiple Russia-aligned groups including Storm-2372, APT29, UTA0304, UTA0307, and UNK_AcademicFlare.

Technical Countermeasures

Palo Alto Networks Unit 42 has also observed similar campaigns using advanced anti-analysis techniques:

  • Disabling right-click functionality, text selection, and drag operations
  • Blocking developer tool shortcuts (F12, Ctrl+Shift+I/C/J)
  • Detecting active developer tools via window size heuristics
  • Initiating infinite debugger loops when analysis is detected
  • Exfiltrating browser cookies on page load

Mitigation Strategies

Organizations can defend against device code phishing through several approaches:

  1. Monitor authentication logs for logins from Railway IP addresses
  2. Revoke all refresh tokens for affected users immediately
  3. Block authentication attempts from Railway infrastructure where possible
  4. Implement conditional access policies to restrict device code authentication
  5. Educate users about device code phishing techniques and warning signs
  6. Deploy advanced phishing protection that can detect multi-hop redirect chains

The campaign highlights the evolving sophistication of phishing attacks and the need for organizations to look beyond traditional password-based security measures. As attackers continue to weaponize legitimate authentication flows, defenders must adapt their strategies to detect and prevent these more subtle forms of compromise.

Featured image

Meta to Shut Down Instagram End-to-End Encrypted Chat Support Starting May 2026

FortiGate Devices Exploited to Breach Networks and Steal Service Account Credentials

ThreatsDay Bulletin: OAuth Trap, EDR Killer, Signal Phishing, Zombie ZIP, AI Platform Hack and More

⚡ Weekly Recap: Chrome 0-Days, Router Botnets, AWS Breach, Rogue AI Agents and More

The disclosure of this campaign coincides with increased awareness of OAuth-based attacks and the growing threat of phishing-as-a-service platforms that lower the barrier to entry for sophisticated phishing campaigns.

#Phishing#OAuth#Microsoft 365#device code#token abuse

Comments

Loading comments...
Back to Home