340+ Microsoft 365 organizations in five countries are being hit by device code phishing attacks through OAuth abuse.

A device code phishing campaign is going after Microsoft 365 accounts in the U.S., Canada, Australia, New Zealand, and Germany. Some of the main industries that are being targeted by the campaign are construction, non-profits, real estate, manufacturing, financial services, healthcare, legal, and government. Campaign uses Cloudflare Workers redirects to send captured sessions to infrastructure hosted on a platform-as-a-service (PaaS) offering called Railway.

These attacks have been linked to several Russia-aligned groups, including Storm-2372, APT29, UTA0304, Uta0307, and UNK_AcademicFlare. The method is sneaky, especially because it uses real Microsoft infrastructure to do the device code authentication flow, which makes users think that nothing is wrong.

The attack works like this: the threat actor asks the identity provider (like Microsoft Entra ID) for a device code through the real device code API. The Cloudflare workers[. ]dev instance hosts the device code phishing site.

Huntress now says that EvilToken, a new phishing-as-a-service (PhaaS) platform, was behind the Railway attack. To protect against the threat, users should check their sign-in logs for Railway IP logins, cancel all refresh tokens for affected users, and, if possible, stop Railway infrastructure from trying to log in.

Palo Alto Networks Unit 42 also warned of a similar device code PhaaS campaign at the same time as this disclosure. The attack used anti-bot and anti-analysis techniques to go unnoticed while stealing browser cookies when the page loaded. According to Palo Alto's Unit 42, which is based in Palo Alto, California, the campaign was first seen on February 18, 2026.