CYBERSECURITY researchers have flagged an active device code phishing campaign targeting Microsoft 365 identities across more than 340 organisations in the United States, Canada, Australia, New Zealand, and Germany. The activity was first spotted on 19 February 2026, with new cases appearing at an accelerated pace since then, according to Huntress.
The campaign exploits OAuth device authorization flows and uses Cloudflare Workers redirects with captured sessions routed to Railway, a platform‑as‑a‑service, effectively turning it into a credential harvesting engine. In the observed operations, a small cluster of Railway IP addresses drives the attacks, including 162.220.234[.]41, 162.220.234[.]66, 162.220.232[.]57, 162.220.232[.]99 and 162.220.232[.]235, which accounted for the majority of events.
The threat landscape around this technique also features Russia‑aligned groups tracked as Storm-2372, APT29, UTA0304, UTA0307 and UNK_AcademicFlare, with EvilTokens described as a new phishing‑as‑a‑service platform supporting the attacks. According to Huntress, the campaign’s landing pages mimic legitimate Microsoft device code authentication, rendering the code directly on the page to prompt user action, while the final step redirects to Microsoft’s device login endpoint.