CP
cyberpings
FraudHIGH

Device Code Phishing - Targeting Microsoft 365 Users Globally

THThe Hacker News
Microsoft 365OAuthphishingHuntressEvilTokens
🎯

Basically, hackers trick people into giving away their Microsoft account details through fake login pages.

Quick Summary

A new phishing campaign is targeting Microsoft 365 users, affecting over 340 organizations. Hackers exploit OAuth to steal credentials, posing serious risks. Users must stay vigilant and secure their accounts.

What Happened

Cybersecurity researchers have uncovered a device code phishing campaign that is actively targeting Microsoft 365 identities. This attack has affected over 340 organizations across the U.S., Canada, Australia, New Zealand, and Germany. The campaign was first detected on February 19, 2026, and has been escalating rapidly since then. The attackers are using OAuth abuse to gain unauthorized access to user accounts, making it a sophisticated threat.

The campaign employs various techniques to lure victims. These include construction bid scams, DocuSign impersonation, and voicemail notifications. By leveraging legitimate Microsoft infrastructure, the attackers create a convincing environment that makes it difficult for users to recognize the phishing attempt. The use of Cloudflare Workers for redirects further complicates detection efforts.

Who's Being Targeted

The sectors targeted by this phishing campaign are diverse. They include construction, non-profits, real estate, manufacturing, financial services, healthcare, legal, and government organizations. This wide range of targets indicates that the attackers are not only after high-profile companies but also smaller organizations that may lack robust cybersecurity measures.

The campaign's success hinges on its ability to exploit the OAuth device authorization flow. This method allows attackers to obtain persistent access tokens, which remain valid even if the victim changes their password. As a result, once a user is compromised, the attackers can maintain access to their account.

Tactics & Techniques

The phishing attack begins with a malicious email prompting the victim to visit a fake sign-in page. The email often contains links that appear to be from legitimate security vendors, making it easier for the attackers to bypass spam filters. Once the victim enters their credentials and two-factor authentication (2FA) code, the attackers gain access to their tokens.

Notably, the attackers have been using a new phishing-as-a-service (PhaaS) platform called EvilTokens. This platform offers tools for crafting phishing emails, bypassing spam filters, and generating malicious links. The sophistication of these tools allows even less experienced cybercriminals to launch effective phishing campaigns.

Defensive Measures

To mitigate the risks posed by this phishing campaign, organizations should take immediate action. Users are advised to:

  • Scan sign-in logs for any unusual activity from Railway IP addresses.
  • Revoke all refresh tokens for affected users to cut off unauthorized access.
  • Block authentication attempts from known Railway infrastructure.

Additionally, organizations should educate their employees about the signs of phishing attempts and encourage them to verify any unexpected login requests. By staying vigilant and implementing these measures, organizations can better protect themselves against this evolving threat.

🔒 Pro insight: This campaign highlights the evolving sophistication of phishing tactics, emphasizing the need for continuous user education and robust authentication measures.

Original article from

The Hacker News

Read Full Article

Share

Related Pings

HIGHFraud

Fraud Detection - Njordium AI Blocks Fake Invoices

Njordium Cyber Group has launched an AI module to combat invoice fraud. This self-learning engine detects fake invoices and prevents financial losses. It's compliant with the EU AI Act, making it a vital tool for organizations.

Help Net Security·
HIGHFraud

Fraud - Man Steals $8 Million from Music Artists Using Bots

A man has pleaded guilty to stealing over $8 million from music artists using AI and bots. His fraudulent scheme exploited streaming platforms, harming genuine artists. This case highlights ongoing challenges in the music industry.

Graham Cluley·
HIGHFraud

Fraud Crackdown - Over 500 Arrests in Operation Henhouse

UK police's Operation Henhouse has arrested over 500 suspects linked to fraud and seized £27m in assets. This significant crackdown highlights the ongoing fight against financial crime. With digital fraud on the rise, the operation underscores the need for vigilance and protection against scams.

Infosecurity Magazine·
HIGHFraud

Fraudulent Recruiting Scheme - Targeting Senior Professionals

A phishing scheme is impersonating Palo Alto Networks recruiters to exploit job seekers. Senior professionals are targeted with fraudulent resume fees. Stay alert and verify any suspicious communications.

Palo Alto Unit 42·
MEDIUMFraud

Scam Baiting - Understanding AI's Role in Fraud

Rinoa Poison discusses the evolving world of scam baiting and AI's role in modern fraud. Learn how scammers adapt and the risks involved. Stay informed to protect yourself!

SC Media·
HIGHFraud

Phishing - Five Shady Techniques to Watch Out For

Five phishing techniques are on the rise this year. From voicemail lures to fake shipping notifications, these scams are targeting unsuspecting users. Stay alert to protect your credentials and avoid falling victim to these deceptive tactics.

Huntress Blog·