Device Code Phishing Hits 340+ Microsoft 365 Orgs Across Five Countries via OAuth Abuse
Device Code Phishing Hits 340+ Microsoft 365 Orgs Across Five Countries via OAuth Abuse
https://thehackernews.com/2026/03/device-code-phishing-hits-340-microsoft.html
Publish Date: 2026-03-25 07:34:00
Source Domain: thehackernews.com
Cybersecurity researchers are calling attention to an active device code phishing campaign that’s targeting Microsoft 365 identities across more than 340 organizations in the U.S., Canada, Australia, New Zealand, and Germany.
The activity, per Huntress, was first spotted on February 19, 2026, with subsequent cases appearing at an accelerated pace since then. Notably, the campaign leverages Cloudflare Workers redirects with captured sessions redirected to infrastructure hosted on a platform-as-a-service (PaaS) offering called Railway, effectively turning it into a credential harvesting engine.
Construction, non-profits, real estate, manufacturing, financial services, healthcare, legal, and government are some of the prominent sectors targeted as part of the campaign.
“What also makes this campaign unusual is not just the device code phishing techniques involved, but the variety of techniques observed,” the company said. “Construction bid lures, landing page code generation, DocuSign impersonation, voicemail notifications, and abuse of Microsoft Forms pages are all hitting the same victim pool through the same Railway.com IP infrastructure.”
Device code phishing refers to a technique that exploits the OAuth device authorization flow to grant the attacker persistent access tokens, which can then be used to seize control of victim accounts. What’s significant about this attack method is that the tokens remain valid even after the account’s password is reset.
At a high level, the attack works as follows –
- Threat actor requests a device code from the identity provider (e.g, Microsoft Entra ID) via the legitimate device code API.
- The service responds with a device code.
- Threat actor creates a persuasive email and sends it to the victim, urging them to visit a sign-in page (“microsoft[.]com/devicelogin”) and enter the device code.
- After the victim enters the provided code, along with their credentials and two-factor authentication (2FA) code, the service creates an…
