Device Code Phishing Targets Microsoft 365. OAuth Abuse Enables Persistent Account Access
An active phishing campaign is targeting Microsoft 365 identities across more than 340 organizations, leveraging device code authentication and OAuth token abuse to gain persistent access.
The activity, observed since February 2026, affects organizations across the U.S., Canada, Australia, New Zealand, and Germany and spans multiple sectors, including finance, healthcare, government, and manufacturing.
What makes this campaign notable is not scale alone.
It is the abuse of legitimate authentication flows.
Campaign Overview
According to threat intelligence reporting, attackers are using device code phishing to trick users into authenticating via legitimate Microsoft endpoints.
The campaign combines:
- phishing emails with realistic lures (e.g. DocuSign, voicemail, construction bids)
- multi-stage redirect chains via trusted services
- infrastructure hosted on Cloudflare Workers and Railway (PaaS)
- automated device code generation on phishing landing pages
The result is a highly reliable credential and session capture mechanism.
How the Attack Works
Device code phishing abuses the OAuth device authorization flow.
At a high level:
- The attacker requests a device code from Microsoft Entra ID
- The victim is sent to a legitimate Microsoft login page
- The victim enters a provided device code and completes authentication (including MFA)
- OAuth tokens are generated and linked to the attacker-controlled session
Once issued, these tokens allow access without requiring the user’s password again.
Critically:
Access persists even after password reset.
Infrastructure and Evasion Techniques
The campaign demonstrates a layered approach to evasion:
- Redirect chains using legitimate security vendor services
- Compromised websites and serverless platforms as intermediaries
- Cloudflare Workers hosting phishing logic
- Railway infrastructure used for token capture and session handling
Observed activity shows a concentration of authentication attempts from a small cluster of Railway-hosted IPs.
This enables centralized control while maintaining distributed delivery.
Emerging Phishing-as-a-Service Model
The activity has been linked to a phishing-as-a-service (PhaaS) platform known as EvilTokens.
The platform provides:
- phishing kit automation
- email distribution capabilities
- redirect infrastructure
- customer support and tooling updates
This lowers the barrier to entry for attackers and accelerates campaign replication.
Why This Matters
This attack method changes how organizations should think about identity security.
Three key implications:
1. MFA alone is not sufficient
Users complete legitimate authentication flows. No credential theft is required.
2. OAuth tokens become the real target
Control shifts from passwords to session tokens.
3. Trusted platforms are being weaponized
Cloud services are used to bypass filtering and increase credibility.
DIAMATIX Perspective
This campaign highlights a shift from credential theft to session hijacking.
The attack does not break authentication.
It uses it.
From an operational perspective, the challenge is visibility.
Traditional controls often miss:
- abnormal token issuance patterns
- sign-ins from unexpected infrastructure
- persistence through valid OAuth sessions
Password resets and standard response actions are no longer sufficient.
Effective defense requires:
- monitoring identity activity at token level, not just login events
- detection of anomalous authentication flows (device code usage patterns)
- rapid revocation of refresh tokens, not only password resets
- correlation across email, identity, and endpoint signals
The focus must move from authentication success to authentication context.
Sources
Huntress. Device code phishing campaign analysis (March 2026)
Microsoft. Device code phishing research and prior advisories
Volexity. OAuth abuse and device code attack patterns
Proofpoint / Amazon Threat Intelligence. Observations on similar campaigns
Palo Alto Networks Unit 42. Analysis of evasion and anti-analysis techniques
This article is based on publicly available threat intelligence as of March 2026.
