Cybersecurity researchers are calling consideration to an lively system code phishing marketing campaign that is focusing on Microsoft 365 identities throughout greater than 340 organizations within the U.S., Canada, Australia, New Zealand, and Germany.
The exercise, per Huntress, was first noticed on February 19, 2026, with subsequent instances showing at an accelerated tempo since then. Notably, the marketing campaign leverages Cloudflare Staff redirects with captured periods redirected to infrastructure hosted on a platform-as-a-service (PaaS) providing known as Railway, successfully turning it right into a credential harvesting engine.
Building, non-profits, actual property, manufacturing, monetary providers, healthcare, authorized, and authorities are a few of the outstanding sectors focused as a part of the marketing campaign.
“What also makes this campaign unusual is not just the device code phishing techniques involved, but the variety of techniques observed,” the corporate stated. “Construction bid lures, landing page code generation, DocuSign impersonation, voicemail notifications, and abuse of Microsoft Forms pages are all hitting the same victim pool through the same Railway.com IP infrastructure.”
Gadget code phishing refers to a way that exploits the OAuth system authorization movement to grant the attacker persistent entry tokens, which might then be used to grab management of sufferer accounts. What’s vital about this assault methodology is that the tokens stay legitimate even after the account’s password is reset.
At a excessive degree, the assault works as follows –
- Risk actor requests a tool code from the identification supplier (e.g, Microsoft Entra ID) through the reliable system code API.
- The service responds with a tool code.
- Risk actor creates a persuasive e-mail and sends it to the sufferer, urging them to go to a sign-in web page (“microsoft[.]com/devicelogin”) and enter the system code.
- After the sufferer enters the supplied code, together with their credentials and two-factor authentication (2FA) code, the service creates an entry token and a refresh token for the person.
“Once the user has fallen victim to the phish, their authentication generates a set of tokens that now live at the OAuth token API endpoint and can be retrieved by providing the correct device code,” Huntress defined. “The attacker, of course, knows the device code because it was generated by the initial cURL request to the device code login API.”
“And while that code is useless by itself, once the victim has been tricked into authenticating, the resulting tokens now belong to anyone who knows which device code was used in the original request.”
Using system code phishing was first noticed by Microsoft and Volexity in February 2025, with subsequent waves documented by Amazon Risk Intelligence and Proofpoint. A number of Russia-aligned teams tracked as Storm-2372, APT29, UTA0304, UTA0307, and UNK_AcademicFlare, have been attributed to those assaults.
The method is insidious, not least as a result of it leverages reliable Microsoft infrastructure to carry out the system code authentication movement, thereby giving customers no cause to suspect something may very well be amiss.
In the campaign detected by Huntress, the authentication abuse originates from a small cluster of Railway.com IP addresses, with three of them accounting for roughly 84% of observed events –
- 162.220.234[.]41
- 162.220.234[.]66
- 162.220.232[.]57
- 162.220.232[.]99
- 162.220.232[.]235
The starting point of the attack is a phishing email that wraps malicious URLs within legitimate security vendor redirect services from Cisco, Trend Micro, and Mimecast so as to bypass spam filters and trigger a multi-hop redirect chain featuring a combination of compromised sites, Cloudflare Workers, and Vercel as intermediaries before taking the victim to the final destination.
“The observed landing sites prompt the victim to proceed to the legitimate Microsoft device code authentication endpoint and input a provided code in order to read some files,” Huntress said. “The code is rendered directly on the page when the victim arrives.”
“This is an interesting iteration of the tactic, as, normally, the adversary must produce and then provide the code to the victim. By rendering the code directly on the page, likely by some code generation automation, the victim is immediately provided with the code and pretext for the attack.”
The landing page also comes with a “Continue to Microsoft” that, when clicked, spews a pop-up window rendering the legitimate Microsoft authentication endpoint (“microsoft[.]com/devicelogin”).
Almost every device code phishing site has been hosted on a Cloudflare workers[.]dev instance, illustrating how the threat actors are weaponizing the trust associated with the service in enterprise environments to sidestep web content filters. To combat the threat, users are advised to scan sign-in logs to hunt for Railway IP logins, revoke all refresh tokens for affected users, and block authentication attempts from Railway infrastructure if possible.
Huntress has since attributed the Railway attack to a new phishing-as-a-service (PhaaS) platform known as EvilTokens, which made its debut last month on Telegram. Besides advertising tools to send phishing emails and bypass spam filters, the EvilTokens dashboard provides customers with open redirect links to vulnerable domains to obscure the phishing links.
“In addition to rapid growth in tool functionality, the EvilTokens team has spun up a full 24/7 support team and a support feedback channel,” the company said. “They also have customer feedback.”
The disclosure comes as Palo Alto Networks Unit 42 also warned of a similar device code phishing campaign, highlighting the attack’s use of anti-bot and anti-analysis techniques to fly under the radar, while exfiltrating browser cookies to the threat actor on page load. The earliest observation of the campaign dates back to February 18, 2026.
The phishing page “disables right-click functionality, text selection, and drag operations,” the company said, adding it “blocks keyboard shortcuts for developer tools (F12, Ctrl+Shift+I/C/J) and source viewing (Ctrl+U)” and “detects active developer tools by utilizing a window size heuristic, which subsequently initiates an infinite debugger loop.”
