Arctic Wolf has recently observed a phishing campaign targeting Microsoft 365 that abuses the OAuth device code flow to trick victims into providing authentication codes. Threat actors use Railway’s Platform-as-a-Service (PaaS) infrastructure (a trusted cloud platform with valid IP addresses) to host attack components, allowing the activity to blend in with normal traffic. This enables threat actors to steal valid access and refresh tokens and bypass multi‑factor authentication protections.
Threat actors are using a variety of phishing lures, all personalized to the intended victims. These lures are often delivered through multi‑hop redirect chains that lead victims to enter codes on Microsoft’s official login endpoints. Once a victim submits a code, threat actors can use the resulting access and refresh tokens to maintain ongoing access to Microsoft 365 resources without requiring the victim’s password. The refresh tokens can be reused to generate new access tokens, allowing persistent access over time.
This activity was attributed to the EvilTokens phishing-as-a-service platform, which emerged in February 2026. Consistent with observations documented by Huntress, Arctic Wolf has observed hundreds of organizations impacted across multiple regions. The campaign remains active and continues to pose a significant risk to organizations globally.
Arctic Wolf has Managed Detection and Response detections in place that apply to activities observed in this campaign, and will continue to notify customers when new instances of this threat are observed.
Recommendations
Block Device Code Flow Where Not Required
Device Code Flow is designed for devices that lack local input capabilities (e.g., smart TVs, IoT devices, conference room displays). However, threat actors increasingly abuse this authentication method in phishing attacks. Arctic Wolf strongly recommends blocking Device Code Flow using Conditional Access (CA) policies where not explicitly required. MDR Customers can request a spot check from their security engineer to identify sign-ins using the Device Code Flow authentication method.
- Create a CA policy targeting “All users” → “All cloud apps” → Conditions: Authentication flows → Device code flow → Block.
If device code flow is required for specific scenarios (e.g., conference room devices), restrict it by:
- Limiting to specific network locations (trusted IPs)
- Limiting to specific device platforms (e.g., Android only for meeting room devices)
- Limiting to specific user groups (service accounts for IoT/signage)
Additionally, enable sign-in risk policies via Microsoft Entra ID Protection to detect anomalous or suspicious sign-ins.
Implement Security Awareness Training
Arctic Wolf strongly recommends implementing comprehensive security awareness training to equip users with the skills needed to quickly identify and report suspicious activity, including the tactics observed in this campaign.
Arctic Wolf offers several phishing-focused modules within its Managed Security Awareness product to help users recognize and respond to the types of threats outlined in this bulletin.
Facts Only
Arctic Wolf observed a phishing campaign targeting Microsoft 365.
The campaign abuses the OAuth device code flow to trick victims into providing authentication codes.
Threat actors use Railway’s Platform-as-a-Service (PaaS) infrastructure to host attack components.
The activity blends with normal traffic due to Railway’s valid IP addresses.
Phishing lures are personalized and delivered through multi-hop redirect chains.
Victims are directed to enter codes on Microsoft’s official login endpoints.
Stolen access and refresh tokens allow persistent access to Microsoft 365 resources.
The campaign is attributed to the EvilTokens phishing-as-a-service platform, which emerged in February 2026.
Hundreds of organizations across multiple regions have been impacted.
Arctic Wolf has detections in place and notifies customers of new instances.
Recommendations include blocking device code flow via Conditional Access policies where not required.
Security awareness training is advised to help users identify phishing tactics.
Executive Summary
A phishing campaign targeting Microsoft 365 users is exploiting the OAuth device code flow to bypass multi-factor authentication (MFA) and steal access tokens. Threat actors leverage Railway’s Platform-as-a-Service (PaaS) infrastructure to host malicious components, blending their activity with legitimate traffic. The campaign, attributed to the EvilTokens phishing-as-a-service platform, emerged in February 2026 and has impacted hundreds of organizations globally. Victims receive personalized phishing lures via multi-hop redirect chains, leading them to enter authentication codes on Microsoft’s official login pages. Once compromised, threat actors use the stolen tokens to maintain persistent access to Microsoft 365 resources without needing the victim’s password.
Arctic Wolf recommends mitigating this threat by blocking the device code flow via Conditional Access policies where unnecessary and restricting its use to specific scenarios, such as trusted network locations or device platforms. Additional safeguards include enabling sign-in risk policies and implementing security awareness training to help users recognize and report phishing attempts. The campaign remains active, posing ongoing risks to organizations worldwide.
Full Take
This phishing campaign represents a sophisticated evolution in credential theft, exploiting trust in legitimate infrastructure and authentication flows. The use of Railway’s PaaS and Microsoft’s own login endpoints demonstrates how threat actors weaponize familiarity and technical compliance to bypass defenses. The device code flow, designed for limited-input devices, is repurposed as a vector for persistent access, highlighting a systemic vulnerability in OAuth implementations. The campaign’s scale—hundreds of organizations across regions—suggests a well-resourced, professionalized operation, likely driven by the phishing-as-a-service model’s efficiency.
The narrative’s strongest version is its technical precision: it clearly outlines the attack chain, from infrastructure abuse to token theft, and provides actionable mitigations. However, the framing leans toward urgency, emphasizing the "significant risk" and "ongoing" threat, which could amplify fear without proportional context. The recommendation to block device code flow entirely, while pragmatic, assumes organizations can afford to disable it—a privilege not all may have, given legacy systems or IoT dependencies.
Root cause: The paradigm here is the tension between usability and security in modern authentication. OAuth’s device code flow was designed to solve a real problem (authentication on input-constrained devices), but its abuse reveals how security trade-offs can be weaponized. The unstated assumption is that organizations can rapidly adapt policies, ignoring resource disparities.
Implications: Human agency is undermined when technical trust is exploited. Users, trained to recognize phishing, may still fall victim to lures that redirect to legitimate endpoints. The cost falls disproportionately on smaller organizations lacking advanced detection tools, while the benefit accrues to threat actors monetizing stolen access.
Bridge questions: How might authentication protocols evolve to close this gap without sacrificing usability? What structural incentives could reduce the profitability of phishing-as-a-service platforms? Would a shift toward hardware-based authentication (e.g., FIDO2) mitigate these risks, or simply displace them?
Counterstrike scan: A coordinated influence campaign would exaggerate the threat’s novelty, omit mitigations, or frame it as an unstoppable trend to erode confidence in cloud security. This analysis, however, balances technical detail with solutions, avoiding alarmism. No structural alignment with manipulation patterns is detected.
Patterns detected: none
Sentinel — Human
The article shows signs of being written by a human, with human-like stylistic features and original insights. While some stylometric signals are present, they are consistent with human writing.