Arctic Wolf has recently observed a phishing campaign targeting Microsoft 365 that abuses the OAuth device code flow to trick victims into providing authentication codes. Threat actors use Railway’s Platform-as-a-Service (PaaS) infrastructure (a trusted cloud platform with valid IP addresses) to host attack components, allowing the activity to blend in with normal traffic. This enables threat actors to steal valid access and refresh tokens and bypass multi‑factor authentication protections.
Threat actors are using a variety of phishing lures, all personalized to the intended victims. These lures are often delivered through multi‑hop redirect chains that lead victims to enter codes on Microsoft’s official login endpoints. Once a victim submits a code, threat actors can use the resulting access and refresh tokens to maintain ongoing access to Microsoft 365 resources without requiring the victim’s password. The refresh tokens can be reused to generate new access tokens, allowing persistent access over time.
This activity was attributed to the EvilTokens phishing-as-a-service platform, which emerged in February 2026. Consistent with observations documented by Huntress, Arctic Wolf has observed hundreds of organizations impacted across multiple regions. The campaign remains active and continues to pose a significant risk to organizations globally.
Arctic Wolf has Managed Detection and Response detections in place that apply to activities observed in this campaign, and will continue to notify customers when new instances of this threat are observed.
Recommendations
Block Device Code Flow Where Not Required
Device Code Flow is designed for devices that lack local input capabilities (e.g., smart TVs, IoT devices, conference room displays). However, threat actors increasingly abuse this authentication method in phishing attacks. Arctic Wolf strongly recommends blocking Device Code Flow using Conditional Access (CA) policies where not explicitly required. MDR Customers can request a spot check from their security engineer to identify sign-ins using the Device Code Flow authentication method.
- Create a CA policy targeting “All users” → “All cloud apps” → Conditions: Authentication flows → Device code flow → Block.
If device code flow is required for specific scenarios (e.g., conference room devices), restrict it by:
- Limiting to specific network locations (trusted IPs)
- Limiting to specific device platforms (e.g., Android only for meeting room devices)
- Limiting to specific user groups (service accounts for IoT/signage)
Additionally, enable sign-in risk policies via Microsoft Entra ID Protection to detect anomalous or suspicious sign-ins.
Implement Security Awareness Training
Arctic Wolf strongly recommends implementing comprehensive security awareness training to equip users with the skills needed to quickly identify and report suspicious activity, including the tactics observed in this campaign.
Arctic Wolf offers several phishing-focused modules within its Managed Security Awareness product to help users recognize and respond to the types of threats outlined in this bulletin.
