Cybersecurity experts are highlighting a sophisticated device code phishing operation targeting Microsoft 365 users across more than 340 organizations in countries like the U.S., Canada, Australia, New Zealand, and Germany. The campaign, identified by Huntress since February 19, 2026, is rapidly expanding, using Cloudflare Workers for redirects and Railway’s platform-as-a-service for credential theft.
Widespread Targeting of Key Sectors
This phishing effort has primarily focused on industries such as construction, non-profits, real estate, manufacturing, financial services, healthcare, legal, and government. It employs various deceptive strategies, including construction bid lures, fake landing pages, DocuSign impersonation, voicemail notifications, and manipulation of Microsoft Forms.
The attack exploits the OAuth device authorization flow, granting attackers persistent access tokens. This method is particularly dangerous as it allows unauthorized access even after password resets, leveraging legitimate Microsoft infrastructure to avoid detection.
Technical Details and Attack Progression
The phishing attack begins with an email containing a malicious URL, wrapped using legitimate security vendor redirect services to bypass spam filters. Victims are directed through a series of redirects involving compromised sites and Cloudflare Workers before reaching the final malicious destination.
Upon arrival, victims are prompted to enter a device code on the official Microsoft device code authentication page. The code is automatically rendered on the page, simplifying the attacker’s task of deceiving users into providing their credentials and authentication codes.
Emergence of EvilTokens Platform
Huntress has linked the attack to a new phishing-as-a-service platform called EvilTokens, which recently emerged on Telegram. This service not only facilitates phishing campaigns but also provides tools to bypass spam filters and conceal phishing links using open redirect vulnerabilities.
Palo Alto Networks Unit 42 has also reported similar campaigns, identifying sophisticated anti-analysis techniques that complicate detection, such as disabling right-click, blocking developer tools, and manipulating browser functionalities.
The rising threat of device code phishing underscores the need for organizations to scrutinize sign-in logs, revoke compromised tokens, and block malicious IPs to mitigate risks.
For more insights into cybersecurity threats, follow us on Google News, Twitter, and LinkedIn. Stay informed and protect your digital assets.
