Cybersecurity researchers are calling attention to an active device code phishing campaign that’s targeting Microsoft 365 identities across more than 340 organizations in the U.S., Canada, Australia, New Zealand, and Germany.

The activity, per Huntress, was first spotted on February 19, 2026, with subsequent cases appearing at an accelerated pace since then. Notably, the campaign leverages Cloudflare Workers redirects with captured sessions redirected to infrastructure hosted on a platform-as-a-service (PaaS) offering called Railway, effectively turning it into a credential harvesting engine.

Construction, non-profits, real estate, manufacturing, financial services, healthcare, legal, and government are some of the prominent sectors targeted as part of the campaign. 

“What also makes this campaign unusual is not just the device code phishing techniques involved, but the variety of techniques observed,” the company said. “Construction bid lures, landing page code generation, DocuSign impersonation, voicemail notifications, and abuse of Microsoft Forms pages are all hitting the same victim pool through the same Railway.com IP infrastructure.”

Device code phishing refers to a technique that exploits the OAuth device authorization flow to grant the attacker persistent access tokens, which can then be used to seize control of victim accounts. What’s significant about this attack method is that the tokens remain valid even after the account’s password is reset.

At a high level, the attack works as follows –

• Threat actor requests a device code from the identity provider (e.g, Microsoft Entra ID) via the legitimate device code API.
• The service responds with a device code.
• Threat actor creates a persuasive email and sends it to the victim, urging them to visit a sign-in page (“microsoft[.]com/devicelogin”) and enter the device code.
• After the victim enters the provided code, along with their credentials and two-factor authentication (2FA) code, the service creates an access token and a refresh token for the user.

“Once the user has fallen victim to the phish, their authentication generates a set of tokens that now live at the OAuth token API endpoint and can be retrieved by providing the correct device code,” Huntress explained. “The attacker, of course, knows the device code because it was generated by the initial cURL request to the device code login API.”

“And while that code is useless by itself, once the victim has been tricked into authenticating, the resulting tokens now belong to anyone who knows which device code was used in the original request.”

The use of device code phishing was first observed by Microsoft and Volexity in February 2025, with subsequent waves documented by Amazon Threat Intelligence and Proofpoint. Multiple Russia-aligned groups tracked as Storm-2372, APT29, UTA0304, UTA0307, and UNK_AcademicFlare, have been attributed to these attacks.

The technique is insidious, not least because it leverages legitimate Microsoft infrastructure to perform the device code authentication flow, thereby giving users no reason to suspect anything could be amiss.

In the campaign detected by Huntress, the authentication abuse originates from a small cluster of Railway.com IP addresses, with three of them accounting for roughly 84% of observed events –

• 162.220.234[.]41
• 162.220.234[.]66 
• 162.220.232[.]57
• 162.220.232[.]99
• 162.220.232[.]235

The starting point of the attack is a phishing email that wraps malicious URLs within legitimate security vendor redirect services from Cisco, Trend Micro, and Mimecast so as to bypass spam filters and trigger a multi-hop redirect chain featuring a combination of compromised sites, Cloudflare Workers, and Vercel as intermediaries before taking the victim to the final destination.

“The observed landing sites prompt the victim to proceed to the legitimate Microsoft device code authentication endpoint and input a provided code in order to read some files,” Huntress said. “The code is rendered directly on the page when the victim arrives.”

“This is an interesting iteration of the tactic, as, normally, the adversary must produce and then provide the code to the victim. By rendering the code directly on the page, likely by some code generation automation, the victim is immediately provided with the code and pretext for the attack.”

The landing page also comes with a “Continue to Microsoft” that, when clicked, spews a pop-up window rendering the legitimate Microsoft authentication endpoint (“microsoft[.]com/devicelogin”).

Almost every device code phishing site has been hosted on a Cloudflare workers[.]dev instance, illustrating how the threat actors are weaponizing the trust associated with the service in enterprise environments to sidestep web content filters. To combat the threat, users are advised to scan sign-in logs to hunt for Railway IP logins, revoke all refresh tokens for affected users, and block authentication attempts from Railway infrastructure if possible.

Huntress has since attributed the Railway attack to a new phishing-as-a-service (PhaaS) platform known as EvilTokens, which made its debut last month on Telegram. Besides advertising tools to send phishing emails and bypass spam filters, the EvilTokens dashboard provides customers with open redirect links to vulnerable domains to obscure the phishing links.

“In addition to rapid growth in tool functionality, the EvilToken team has spun up a full 24/7 support team and a support feedback channel,” the company said. “They also have customer feedback.”

The disclosure comes as Palo Alto Networks Unit 42 also warned of a similar device code phishing campaign, highlighting the attack’s use of anti-bot and anti-analysis techniques to fly under the radar, while exfiltrating browser cookies to the threat actor on page load. The earliest observation of the campaign dates back to February 18, 2026.

The phishing page “disables right-click functionality, text selection, and drag operations,” the company said, adding it “blocks keyboard shortcuts for developer tools (F12, Ctrl+Shift+I/C/J) and source viewing (Ctrl+U)” and “detects active developer tools by utilizing a window size heuristic, which subsequently initiates an infinite debugger loop.”