Threat Intel - Railway.com Used in Microsoft 365 Token Attack
Basically, bad actors are using Railway.com to steal login tokens from Microsoft 365 users.
A new phishing campaign is exploiting Railway.com to target Microsoft 365 accounts. Over 340 organizations are affected, raising serious security concerns. Vigilance and updated defenses are essential to combat this threat.
The Threat
In a concerning development, threat actors are leveraging Railway.com, a Platform-as-a-Service (PaaS), to orchestrate a sophisticated phishing campaign targeting Microsoft 365 identities. This campaign, attributed to the EvilTokens platform, has already impacted over 340 organizations across multiple countries, including the US, Canada, and Germany. The attackers are utilizing a method known as device code phishing, which exploits legitimate authentication flows to gain persistent access to user accounts without requiring passwords.
The campaign began gaining traction in early February 2026, with the first signs of compromise observed shortly thereafter. By March 2, the scale of the attack had escalated dramatically, showcasing the attackers' ability to tailor phishing lures to evade detection. This adaptability raises concerns about the operational maturity of the threat actors involved.
Who's Behind It
The EvilTokens platform, which has been marketed on Telegram, offers various tools that facilitate phishing operations. These include a B2B Sender and an Office 365 Capture Link, both of which are designed to bypass email filtering systems and target sensitive information. The attackers are using Railway.com as a clean infrastructure for their operations, taking advantage of its legitimate IP addresses that do not raise red flags in Microsoft's security assessments.
This campaign's complexity suggests that it may involve multiple actors or a single group with a diverse toolkit. The use of various phishing techniques, including impersonation of trusted services like DocuSign and Microsoft Forms, indicates a well-coordinated effort to maximize the chances of success in credential theft.
Tactics & Techniques
The attackers employ a range of tactics to ensure their phishing attempts are effective. For instance, they utilize legitimate email security vendor URL rewriting services to mask malicious links, making it harder for users to identify phishing attempts. This technique allows the attackers to bypass common security measures, as the visible links appear to be from trusted sources.
Additionally, the use of AI workflows in their phishing lures signifies a shift towards more automated and scalable attack methods. Each phishing email is uniquely tailored, avoiding repetition and increasing the likelihood of deceiving victims. The attackers have also established a support infrastructure for their phishing tools, further enhancing their operational capabilities.
Defensive Measures
Organizations must remain vigilant against this evolving threat. Implementing multi-factor authentication (MFA) can significantly reduce the risk of unauthorized access, even if credentials are compromised. Regular training for employees on recognizing phishing attempts is also crucial. Security teams should monitor authentication events closely, especially from unusual IP addresses, and consider blocking known malicious IP ranges associated with Railway.com.
Moreover, organizations should collaborate with cybersecurity firms like Huntress to stay updated on the latest threat intelligence and mitigation strategies. By sharing information and resources, the cybersecurity community can better defend against these sophisticated phishing campaigns.
Huntress Blog