Threat Intel - Arctic Wolf Tracks Microsoft 365 Phishing Campaign
Basically, hackers are tricking people into giving away their Microsoft 365 login codes using fake websites.
Arctic Wolf has detected a phishing campaign targeting Microsoft 365 users. Threat actors exploit OAuth to steal login codes, risking sensitive data. Organizations must take action to protect their accounts.
The Threat
Arctic Wolf has recently uncovered a significant phishing campaign targeting Microsoft 365 users. This campaign exploits the OAuth device code flow, a method designed for devices lacking input capabilities. By tricking victims into providing authentication codes, attackers gain access to sensitive accounts. The threat actors leverage Railway's Platform-as-a-Service (PaaS), a trusted cloud infrastructure, to host their malicious components. This clever tactic allows their activities to blend in with legitimate traffic, making detection more challenging.
The phishing campaign is attributed to the EvilTokens platform, which emerged in February 2026. It employs various lures tailored to specific victims, often utilizing multi-hop redirect chains. These redirect chains lead users to Microsoft’s official login pages, where they unknowingly submit their codes. Once the attackers receive these codes, they can access Microsoft 365 resources without needing the victim's password.
Who's Behind It
The campaign is primarily executed by threat actors utilizing the EvilTokens phishing-as-a-service platform. This service provides tools for other cybercriminals to launch phishing attacks efficiently. The use of Railway's PaaS infrastructure is particularly concerning, as it allows attackers to leverage valid IP addresses, further obscuring their malicious activities. As a result, hundreds of organizations across multiple regions have already been impacted, highlighting the widespread nature of this threat.
Tactics & Techniques
The attackers employ a variety of tactics to maximize their success. They often use personalized phishing lures designed to resonate with their targets. By creating a sense of urgency or relevance, they increase the likelihood of victims falling for the scam. Additionally, the attackers utilize multi-hop redirect chains to obscure the true nature of the links, leading victims to believe they are interacting with legitimate Microsoft services.
Once a victim submits their authentication code, the attackers can capture both access and refresh tokens. This allows them to maintain ongoing access to the victim's Microsoft 365 resources, effectively bypassing multi-factor authentication protections. The refresh tokens can be reused to generate new access tokens, enabling persistent access over time.
Defensive Measures
To combat this growing threat, Arctic Wolf recommends organizations take proactive measures. One key recommendation is to block the OAuth device code flow wherever it is not explicitly required. This flow is designed for devices that cannot input data, such as smart TVs or IoT devices. By implementing Conditional Access (CA) policies, organizations can mitigate the risk posed by this authentication method.
Arctic Wolf has also deployed Managed Detection and Response (MDR) systems to identify and respond to activities associated with this phishing campaign. They will continue to monitor the situation and notify customers of any new instances of this threat. Organizations must remain vigilant and educate employees about the dangers of phishing to protect themselves against such sophisticated attacks.
Arctic Wolf Blog