AI-Driven Microsoft 365 Device Code Phishing Abused Railway to Steal OAuth Tokens
Huntress reported a large phishing operation that used Railway cloud infrastructure to compromise Microsoft 365 accounts at hundreds of organizations by abusing Microsoft's legitimate device authorization flow. The campaign harvested and replayed OAuth access and refresh tokens, allowing attackers to maintain access for up to 90 days without needing victims' passwords and in many cases without being stopped by MFA. Researchers identified at least 344-350 victim organizations across the U.S., Canada, Australia, New Zealand, and Germany, with activity accelerating sharply in early March and continuing at a rate of more than 50 compromises per day even after initial disruption efforts.
The operation used highly varied, likely AI-generated lures delivered through email, QR codes, file-share themes, compromised websites, multi-hop redirects, and workers.dev pages to evade filtering and scale quickly. Huntress linked the activity to the EvilTokens phishing-as-a-service platform, which advertised Office 365 capture links, SMTP delivery, B2B sender services, AI-assisted phishing workflows, and open redirects. In response, Huntress pushed Conditional Access protections to about 60,000 Microsoft cloud tenants, blocked additional attack attempts, and urged defenders to prioritize identity-layer monitoring, token revocation, blocking Railway-owned infrastructure, restricting device code authentication, and enabling Continuous Access Evaluation.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
8 events from the most recent confirmed update back to the earliest known activity.
Microsoft publishes technical analysis of AI-enabled device code phishing
Microsoft Defender Security Research published a detailed report on the widespread device code phishing campaign, linking it to the EvilToken ecosystem and describing AI-generated lures, dynamic device code generation, and Railway-backed automation. The report also revealed post-compromise activity including Microsoft Graph reconnaissance, malicious inbox rules, email exfiltration, and in some cases registration of new devices to obtain Primary Refresh Tokens for persistence.
Huntress says campaign continues despite Railway takedowns
By March 23, 2026, Huntress said it had identified 344 victims and was still seeing more than 50 compromises per day tied to Railway phishing domains. It also reported blocking 113 additional attempted compromises on top of roughly 350 compromises observed over the prior two weeks, indicating the campaign remained active after Railway's response.
Huntress publishes report on hundreds of compromised organizations
On March 20, 2026, Huntress publicly disclosed that the campaign had compromised more than 340 organizations across the U.S., Canada, Australia, New Zealand, and Germany. The report detailed how attackers used device code phishing to obtain long-lived access and refresh tokens that can persist beyond password resets and are not stopped by MFA alone.
Huntress links campaign to EvilTokens phishing-as-a-service
Huntress later attributed the Railway-based attack activity to the EvilTokens phishing-as-a-service platform. The service was described as offering Office 365 capture links, SMTP sending, open redirects, B2B sender features, and AI-assisted phishing workflows.
Huntress deploys tenant protections against Railway phishing domains
As the campaign expanded, Huntress pushed Conditional Access policy protections to eligible Microsoft 365 tenants, including updates sent to about 60,000 cloud tenants to block emails or access tied to Railway-owned infrastructure. The mitigations were intended to disrupt token theft and replay from the observed Railway IPs and domains.
Huntress notifies Railway about malicious infrastructure
Railway said Huntress first contacted the company on March 6, 2026 about attacker abuse of its platform. After the notification, Railway banned associated accounts and blocked domains tied to the phishing activity.
Phishing activity surges across organizations
Huntress reported a sharp increase in campaign activity beginning around March 2-3, 2026, as the attackers scaled highly varied phishing lures including email, QR code, and file-share themed content. The surge marked the start of widespread compromises affecting organizations in multiple countries.
Railway-based Microsoft 365 phishing campaign begins with isolated cases
Huntress observed the first isolated cases of a Microsoft 365 device code phishing campaign on February 19 and 24, 2026. The operation used Railway-hosted infrastructure to harvest and replay OAuth tokens obtained through Microsoft's legitimate device authorization flow.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
7 references tracked. Mallory keeps watching after this page renders.
Hundreds compromised daily in Microsoft device code phishes • The Register
go.theregister.com
Open sourceInside an AI‑enabled device code phishing campaign | Microsoft Security Blog
microsoft.com
Open sourceArctic Wolf Tracking Threat Actors Abusing Railway PaaS for Microsoft 365 Token Compromise | Arctic Wolf
arcticwolf.com
Open sourceMicrosoft 365 Under Siege: Phishing Campaign Bypasses MFA Across 5 Countries
techrepublic.com
Open sourceDevice Code Phishing Hits 340+ Microsoft 365 Orgs Across Five Countries via OAuth Abuse
thehackernews.com
Open sourceAn AI-powered phishing campaign has compromised hundreds of organizations | CyberScoop
cyberscoop.com
Open sourceThreat Actors Abuse Railway.com PaaS as Microsoft 365 Token Attack Infrastructure | Huntress
huntress.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
AI-Powered Phishing Campaign Compromised Microsoft Cloud Accounts at 344 Organizations
An **AI-powered phishing campaign** compromised Microsoft cloud accounts at **344 organizations worldwide**, affecting entities across government, healthcare, finance, and construction. The operation reportedly had broad international reach and targeted Microsoft cloud environments at scale, indicating a coordinated effort to gain access to enterprise cloud accounts across multiple sectors. Threat actors were reported to have **weaponized Railway**, an AI cloud-hosting service, to support the campaign. The activity had been underway since earlier in the month, and reporting indicated the attackers used the platform to help enable phishing operations against Microsoft cloud tenants on a global scale.
Apr 13, 2026
EvilTokens Device Code Phishing Captured Microsoft Session Tokens at Scale
Huntress reported that the **EvilTokens** phishing-as-a-service operation used Microsoft’s legitimate device code authentication flow to steal valid session tokens from users without capturing passwords or directly breaking MFA. The campaign accelerated in early March after initial alerts in late February and affected **344 organizations across five countries over 16 days**. According to Huntress and Microsoft, the operation relied on trusted cloud infrastructure hosted on Railway and phishing lures tailored to victims’ normal workflows, allowing the activity to blend in with legitimate sign-in behavior. Researchers said EvilTokens is marketed on Telegram and uses **AI-enhanced phishing** to personalize messages, evade email filtering, identify financially valuable targets, and automate follow-on fraud using context taken from compromised accounts. Because the emails, URLs, and authentication steps appeared legitimate, traditional email defenses often failed to stop the attacks. Huntress recommended behavior-based detection, stricter Conditional Access policies, monitoring for suspicious device registrations, rapid token revocation, and wider adoption of phishing-resistant MFA such as **FIDO2** security keys and passkeys.
Jun 1, 2026
Microsoft phishing campaign stole auth tokens from 35,000 users
Microsoft disclosed a large-scale phishing campaign that targeted more than **35,000 users** at over **13,000 organizations** across **26 countries**, with most victims in the United States and concentrations in healthcare, life sciences, financial services, professional services, and technology. The operation used code-of-conduct and compliance-themed emails delivered through legitimate email services, including abuse of platforms such as Amazon SES, to make messages appear trustworthy and help them pass common email authentication checks. Victims received PDF attachments containing links that led through fake CAPTCHA and document-review pages before landing on spoofed Microsoft sign-in portals. Microsoft said the attackers used an **adversary-in-the-middle** phishing flow to capture credentials and authentication tokens in real time, allowing them to bypass weak multifactor authentication and gain immediate account access. The company described the activity as one of the most sophisticated code-of-conduct-themed credential theft campaigns it has observed and said it reflects broader trends including CAPTCHA-gated phishing, QR-code phishing, and phishing-as-a-service ecosystems such as **Tycoon 2FA**, **Kratos**, and **EvilTokens**. Microsoft urged organizations to strengthen defenses with Defender for Office 365, SmartScreen-enabled browsers, phishing awareness training, stronger authentication, conditional access policies, and automated attack disruption in Defender XDR.
May 5, 2026