Device Code Phishing: OAuth Abuse Hits 340+ Microsoft 365 Orgs

March 25, 2026 Faeem BLOGS 0

A new phishing campaign is sweeping across five countries — targeting over 340 Microsoft 365 organizations with a stealthy OAuth abuse technique known as device code phishing. This attack bypasses traditional password protections and leverages legitimate Microsoft infrastructure to harvest persistent access tokens.

What Is Device Code Phishing?

This technique exploits the OAuth device authorization flow, allowing attackers to:

  1. Request a device code from Microsoft Entra ID.
  2. Send a phishing email urging victims to visit microsoft.com/devicelogin and enter the code.
  3. Once the victim authenticates (including 2FA), the attacker retrieves valid access and refresh tokens — even if the password is later changed.

Campaign Highlights

  • First spotted: February 19, 2026 (Huntress)
  • Countries hit: U.S., Canada, Australia, New Zealand, Germany
  • Sectors targeted: Construction, finance, healthcare, legal, government, and more
  • Infrastructure abused:
    • Redirect chains via Cisco, Trend Micro, Mimecast
    • Cloudflare Workers and Vercel
    • Final credential harvesting via Railway.com IPs
  • Phishing lures: DocuSign impersonation, voicemail alerts, fake Microsoft Forms, construction bid requests

Technical Breakdown

  • Tokens persist: Even after password resets
  • Landing pages: Render device code directly on arrival
  • Authentication endpoint: Legitimate Microsoft login page
  • Anti-analysis: Blocks dev tools, disables right-click, uses infinite debugger loops

EvilTokens: Phishing-as-a-Service

The campaign is powered by EvilTokens, a Telegram-based PhaaS platform offering:

  • Open redirect links
  • Spam filter bypass tools
  • 24/7 customer support
  • Feedback channels for attackers

Defense Recommendations

  • Scan sign-in logs: Look for Railway.com IPs
  • Revoke refresh tokens: Immediately for affected users
  • Block Railway infrastructure: At the firewall level
  • Educate users: On OAuth-based phishing and device code abuse

Final Thought

Device code phishing is a wolf in OAuth clothing — leveraging trusted infrastructure to trick users into handing over persistent access. As phishing-as-a-service platforms like EvilTokens evolve, defenders must rethink token hygiene, redirect filtering, and user education.

Be the first to comment

Leave a Reply

Your email address will not be published.


*


This site uses Akismet to reduce spam. Learn how your comment data is processed.