AI-powered phishing campaign hits 340+ organizations — M365 tokens stolen
Active device code phishing campaign exploits Railway.com and AI-generated lures to steal M365 tokens. Password resets won't help.
Huntress is warning about a large-scale phishing campaign targeting Microsoft 365 identities. Since February, over 340 organizations have been hit, with 350+ confirmed compromises and 113 blocked attempts in the past week alone.
The attackers use a technique called device code phishing. They exploit Microsoft's OAuth device authorization flow — the same mechanism used to sign into Teams on a smart TV, for example.
How the attack works
The victim receives an AI-generated phishing email that looks convincing. The email leads to a page asking the user to enter a device code. Once entered, the attacker gets an OAuth token granting full access to the M365 account.
The worst part: password resets don't help. Stolen OAuth tokens remain valid until explicitly revoked or expired. The attackers run their infrastructure through Railway.com, a PaaS platform most security teams have never heard of.
Why this hits SMBs hardest
This campaign doesn't target enterprises with dedicated SOC teams. It hits regular organizations — exactly the kind running M365 Business Premium without advanced token protection in Conditional Access.
What you should do now
- Review Entra ID sign-in logs for device code authentication from unfamiliar locations.
- Block Railway.com IP ranges in Conditional Access named locations.
- Enable Continuous Access Evaluation (CAE) to limit token validity.
- Consider disabling device code flow entirely in Conditional Access if you don't actively use it.
How HaggeBurger can help
We offer an M365 identity hardening service covering Conditional Access policy review, token protection, and device code flow configuration. A half-day assessment that can stop this type of attack.
Want us to check your environment? Get in touch.