Device Code Phishing Campaign Targets Over 340 Microsoft 365 Organizations Across Five Countries
A sophisticated phishing campaign has been identified, targeting Microsoft 365 users across more than 340 organizations in the United States, Canada, Australia, New Zealand, and Germany. This campaign employs device code phishing techniques to exploit the OAuth device authorization flow, granting attackers persistent access to victim accounts.
Discovery and Tactics
Cybersecurity firm Huntress first detected this malicious activity on February 19, 2026. Since then, the frequency of these attacks has increased significantly. The perpetrators utilize Cloudflare Workers to redirect captured sessions to infrastructure hosted on Railway, a platform-as-a-service (PaaS) provider. This setup effectively transforms Railway into a credential harvesting engine.
The targeted sectors are diverse, including construction, non-profits, real estate, manufacturing, financial services, healthcare, legal, and government entities. The attackers employ various deceptive tactics, such as construction bid lures, landing page code generation, DocuSign impersonation, voicemail notifications, and the misuse of Microsoft Forms pages. All these methods aim to deceive victims into providing their credentials.
Understanding Device Code Phishing
Device code phishing exploits the OAuth device authorization flow, a legitimate feature designed to facilitate user authentication on devices with limited input capabilities. In this attack, the process unfolds as follows:
1. Device Code Request: The attacker requests a device code from the identity provider, such as Microsoft Entra ID, using the legitimate device code API.
2. Device Code Issuance: The service responds by issuing a device code.
3. Phishing Email Dispatch: The attacker crafts a convincing email urging the recipient to visit a legitimate sign-in page (e.g., microsoft[.]com/devicelogin) and enter the provided device code.
4. User Authentication: The victim, believing the request to be genuine, enters the device code along with their credentials and two-factor authentication (2FA) code.
5. Token Generation: Upon successful authentication, the service generates an access token and a refresh token for the user.
Once the victim completes this process, the attacker can retrieve the tokens using the device code. These tokens grant the attacker persistent access to the victim’s account, even if the account’s password is subsequently changed.
Historical Context and Attribution
Device code phishing is not a new phenomenon. In February 2025, Microsoft and Volexity reported similar attacks. Subsequent campaigns were documented by Amazon Threat Intelligence and Proofpoint. Notably, several Russia-aligned groups, including Storm-2372, APT29, UTA0304, UTA0307, and UNK_AcademicFlare, have been linked to these attacks.
The insidious nature of this technique lies in its use of legitimate Microsoft infrastructure to perform the device code authentication flow. This approach gives users no reason to suspect malicious activity, as the process appears entirely legitimate.
Technical Details and Indicators of Compromise
In the campaign observed by Huntress, the authentication abuse originates from a small cluster of Railway.com IP addresses. Three of these addresses account for approximately 84% of the observed events:
– 162.220.234[.]41
– 162.220.234[.]66
– 162.220.232[.]57
The attack typically begins with a phishing email that wraps malicious URLs within legitimate-looking content, making it challenging for users to discern the threat.
Mitigation Strategies
To protect against device code phishing attacks, organizations and individuals should consider the following measures:
1. User Education: Train users to recognize phishing attempts, especially those involving device code authentication requests.
2. Multi-Factor Authentication (MFA): Implement and enforce MFA across all accounts to add an additional layer of security.
3. Monitor for Unusual Activity: Regularly review account activity for signs of unauthorized access, such as logins from unfamiliar IP addresses or devices.
4. Restrict Device Code Flow: If not required, consider disabling the device code flow within your organization’s identity provider settings.
5. Implement Conditional Access Policies: Use conditional access policies to control how and when users can authenticate, reducing the risk of unauthorized access.
Conclusion
The recent surge in device code phishing attacks targeting Microsoft 365 users underscores the evolving tactics of cybercriminals. By exploiting legitimate authentication flows, attackers can gain persistent access to accounts, posing significant risks to organizations across various sectors. Proactive measures, including user education, robust authentication protocols, and vigilant monitoring, are essential to mitigate these threats and safeguard sensitive information.
