Widespread OAuth Device Code Phishing Campaign Targets Microsoft 365 via EvilTokens PhaaS
Summary
Hide ▲
Show ▼
An ongoing device code phishing campaign is targeting Microsoft 365 accounts across at least 340 organizations in five countries (U.S., Canada, Australia, New Zealand, Germany) since mid-February 2026. The campaign abuses legitimate OAuth device authorization flows to harvest credentials and establish persistent access tokens, including via a newly identified phishing-as-a-service platform named EvilTokens. Attackers redirect victims through multi-hop chains using Cloudflare Workers, Railway PaaS infrastructure, and legitimate vendor redirect services (Cisco, Trend Micro, Mimecast) to bypass spam filters. Targeted sectors include construction, non-profits, real estate, manufacturing, financial services, healthcare, legal, and government. The technique generates valid OAuth tokens even after password resets, enabling long-term account compromise.
Timeline
-
25.03.2026 13:34 1 articles · 3h ago
Device Code Phishing Campaign Leveraging EvilTokens PhaaS Hits 340+ Microsoft 365 Organizations
A large-scale device code phishing campaign has compromised Microsoft 365 accounts across at least 340 organizations since February 19, 2026. Attackers abuse OAuth device authorization flows to generate persistent access tokens, then redirect victims via multi-hop chains using Cloudflare Workers, Railway PaaS, and legitimate vendor redirect services. The campaign is linked to the EvilTokens phishing-as-a-service platform, which provides automated tooling and 24/7 support. Observed evasion techniques include disabled right-click, blocked developer tools, and infinite debugger loops on phishing pages, while tokens remain valid even after password resets.
Show sources
- Device Code Phishing Hits 340+ Microsoft 365 Orgs Across Five Countries via OAuth Abuse — thehackernews.com — 25.03.2026 13:34
Information Snippets
-
The campaign abuses Microsoft’s OAuth device authorization flow to generate persistent access tokens that remain valid even after password resets.
First reported: 25.03.2026 13:341 source, 1 articleShow sources
- Device Code Phishing Hits 340+ Microsoft 365 Orgs Across Five Countries via OAuth Abuse — thehackernews.com — 25.03.2026 13:34
-
Threat actors use Cloudflare Workers and Railway PaaS infrastructure (IPs: 162.220.234[.]41, 162.220.234[.]66, 162.220.232[.]57, 162.220.232[.]99, 162.220.232[.]235) to host phishing landing pages and harvest credentials.
First reported: 25.03.2026 13:341 source, 1 articleShow sources
- Device Code Phishing Hits 340+ Microsoft 365 Orgs Across Five Countries via OAuth Abuse — thehackernews.com — 25.03.2026 13:34
-
Attackers employ a multi-hop redirect chain leveraging legitimate vendor redirect services (Cisco, Trend Micro, Mimecast) to bypass email security controls.
First reported: 25.03.2026 13:341 source, 1 articleShow sources
- Device Code Phishing Hits 340+ Microsoft 365 Orgs Across Five Countries via OAuth Abuse — thehackernews.com — 25.03.2026 13:34
-
The EvilTokens phishing-as-a-service platform was launched on Telegram in early 2026 and provides automated phishing email delivery, bypass tools, and 24/7 support.
First reported: 25.03.2026 13:341 source, 1 articleShow sources
- Device Code Phishing Hits 340+ Microsoft 365 Orgs Across Five Countries via OAuth Abuse — thehackernews.com — 25.03.2026 13:34
-
Unit 42 observed anti-bot evasion techniques including disabled right-click, blocked developer tools access, and infinite debugger loops on phishing pages.
First reported: 25.03.2026 13:341 source, 1 articleShow sources
- Device Code Phishing Hits 340+ Microsoft 365 Orgs Across Five Countries via OAuth Abuse — thehackernews.com — 25.03.2026 13:34
-
Prior device code phishing activity was attributed to Russia-aligned groups including Storm-2372, APT29, UTA0304, UTA0307, and UNK_AcademicFlare.
First reported: 25.03.2026 13:341 source, 1 articleShow sources
- Device Code Phishing Hits 340+ Microsoft 365 Orgs Across Five Countries via OAuth Abuse — thehackernews.com — 25.03.2026 13:34