AI-Powered Phishing Campaign Compromised Microsoft Cloud Accounts at 344 Organizations
An AI-powered phishing campaign compromised Microsoft cloud accounts at 344 organizations worldwide, affecting entities across government, healthcare, finance, and construction. The operation reportedly had broad international reach and targeted Microsoft cloud environments at scale, indicating a coordinated effort to gain access to enterprise cloud accounts across multiple sectors.
Threat actors were reported to have weaponized Railway, an AI cloud-hosting service, to support the campaign. The activity had been underway since earlier in the month, and reporting indicated the attackers used the platform to help enable phishing operations against Microsoft cloud tenants on a global scale.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
3 events from the most recent confirmed update back to the earliest known activity.
Railway disrupts infrastructure used in phishing campaign
Railway took action against the operation by cracking down on the accounts and domains used to support the AI-powered phishing campaign targeting Microsoft cloud accounts. The response followed reporting that attackers had used Railway’s platform to host credential-harvesting infrastructure.
344 organizations reported compromised in global Microsoft cloud campaign
By March 24, 2026, reporting indicated that the campaign had compromised the Microsoft cloud accounts of 344 organizations worldwide. Affected organizations spanned government, healthcare, finance, construction, and other sectors, showing broad international reach.
AI phishing campaign begins targeting Microsoft cloud accounts
A large-scale AI-powered phishing campaign began earlier in March 2026, targeting Microsoft cloud environments. The operation used Railway, an AI cloud-hosting service, to help support the attackers' activity.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
8 references tracked. Mallory keeps watching after this page renders.
Inside an AI‑enabled device code phishing campaign - Infosec.Pub
infosec.pub
Open sourceReport: Mounting financial fraud threat driven by cloud phones | brief | SC Media
scworld.com
Open sourceWidespread cloud environment compromise facilitated by Trivy supply chain hack | brief | SC Media
scworld.com
Open sourceTakedown fails to deter Tycoon2FA phishing kit revival | brief | SC Media
scworld.com
Open sourceOver 300 orgs impacted by global AI-powered phishing campaign | brief | SC Media
scworld.com
Open sourceIllicit VS Code projects tapped to deploy StoatWaffle malware | brief | SC Media
scworld.com
Open sourceCrypto heist against Resolv earns hacker about $24.5 million | brief | SC Media
scworld.com
Open sourceRansomware hits Trio-Tech's Singaporean subsidiary | brief | SC Media
scworld.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
AI-Driven Microsoft 365 Device Code Phishing Abused Railway to Steal OAuth Tokens
Huntress reported a large phishing operation that used **Railway** cloud infrastructure to compromise Microsoft 365 accounts at hundreds of organizations by abusing Microsoft's legitimate device authorization flow. The campaign harvested and replayed OAuth access and refresh tokens, allowing attackers to maintain access for up to 90 days without needing victims' passwords and in many cases without being stopped by MFA. Researchers identified at least **344-350 victim organizations** across the U.S., Canada, Australia, New Zealand, and Germany, with activity accelerating sharply in early March and continuing at a rate of more than 50 compromises per day even after initial disruption efforts. The operation used highly varied, likely **AI-generated** lures delivered through email, QR codes, file-share themes, compromised websites, multi-hop redirects, and `workers.dev` pages to evade filtering and scale quickly. Huntress linked the activity to the **EvilTokens** phishing-as-a-service platform, which advertised Office 365 capture links, SMTP delivery, B2B sender services, AI-assisted phishing workflows, and open redirects. In response, Huntress pushed Conditional Access protections to about **60,000 Microsoft cloud tenants**, blocked additional attack attempts, and urged defenders to prioritize identity-layer monitoring, token revocation, blocking Railway-owned infrastructure, restricting device code authentication, and enabling **Continuous Access Evaluation**.
Apr 6, 2026
AI-Assisted Phishing Kits Targeting Microsoft and Google Users
A sophisticated phishing campaign has emerged, leveraging AI-assisted development to target Microsoft Outlook users, particularly Spanish speakers. The operation, active since March 2025, employs a modular phishing kit that mimics the Outlook login interface and uses real-time reconnaissance to enrich stolen credentials with IP and geolocation data. Stolen information is exfiltrated via Telegram bots and Discord webhooks, and the kit's evolution shows clear signs of AI-generated code, including clean structure and Spanish-language comments. Researchers identified the campaign through a unique mushroom emoji signature embedded in the phishing kit, which has been observed in over 75 deployments. In a parallel development, another phishing wave has exploited Google Cloud Application Integration to send convincing emails from legitimate Google addresses, bypassing traditional security filters. This campaign, uncovered by Check Point researchers, uses a multi-stage process: victims receive official-looking emails, are redirected through Google infrastructure, and ultimately land on a fake Microsoft login page designed to harvest credentials. The attack has targeted over 3,000 organizations globally, with significant activity in the United States, Asia-Pacific, and Europe. Both campaigns demonstrate the increasing sophistication and global reach of phishing operations using advanced technical methods and trusted platforms to deceive users.
Mar 21, 2026
Multi-Stage Phishing Campaigns Targeting Microsoft 365 and Cloud Services
A sophisticated, multi-stage phishing campaign has been observed targeting organizations globally to steal Microsoft 365 credentials. The operation, monitored since early November 2025, employs advanced evasion techniques such as nested PDFs, use of legitimate content delivery networks, and mouse tracking to bypass secure email gateways and multi-factor authentication. The final credential harvesting site is engineered to block security tools and analysts, and leverages legitimate Microsoft infrastructure to circumvent MFA, granting attackers immediate access to compromised accounts. These attacks highlight the increasing complexity of phishing operations and their ability to evade traditional security controls. In parallel, threat actors are exploiting free cloud hosting platforms like Cloudflare Pages to host convincing phishing portals impersonating banking and healthcare providers. These sites not only harvest credentials but also collect additional security information, such as answers to secret questions, and exfiltrate data via Telegram bots to evade detection. Attackers use compromised legitimate domains as redirectors, increasing the likelihood of bypassing spam filters and making takedown efforts more challenging. The convergence of advanced phishing techniques and abuse of trusted cloud services underscores the need for enhanced detection and response strategies for organizations relying on Microsoft 365 and similar platforms.
Mar 21, 2026