HIGH: Device Code Phishing Campaign Hammers 340+ Microsoft 365 Organizations

Executive Summary

More than 340 organizations across the US, Canada, Australia, New Zealand, and Germany have been compromised in a device code [phishing](/services/email security-security) campaign discovered by Huntress on February 19th. The attack exploits OAuth's device authorization flow to harvest tokens that persist beyond password resets.

Technical Analysis

Attackers generate device codes through malicious application registrations, then phish victims into entering codes at the legitimate microsoft.com/devicelogin page. Because victims interact with real Microsoft infrastructure, traditional URL-checking advice fails.

Infrastructure uses Cloudflare Workers for phishing pages, routes through legitimate security vendor domains (Cisco, Trend Micro, Mimecast), and harvests tokens via Railway PaaS. 84% of events originated from three Railway IPs.

The campaign is powered by EvilTokens, a PhaaS platform on Telegram offering 24/7 customer support and a user feedback channel.

Affected Sectors

Construction, Healthcare, Legal, Government, Manufacturing, Financial Services across five countries.

Remediation Steps

Scan Azure AD sign-in logs for Railway IP authentications. Revoke all refresh tokens for affected users. Consider blocking device code authentication flow if not needed. Review conditional access policies and token lifetime settings. Shorter token lifetimes reduce attacker opportunity windows.