"What also makes this campaign unusual is not just the device code phishing techniques involved, but the variety of techniques observed. Construction bid lures, landing page code generation, DocuSign impersonation, voicemail notifications, and abuse of Microsoft Forms pages are all hitting the same victim pool through the same Railway.com IP infrastructure."
"Device code phishing refers to a technique that exploits the OAuth device authorization flow to grant the attacker persistent access tokens, which can then be used to seize control of victim accounts. What's significant about this attack method is that the tokens remain valid even after the account's password is reset."
A device code phishing campaign is actively targeting Microsoft 365 identities in over 340 organizations across the U.S., Canada, Australia, New Zealand, and Germany. First identified on February 19, 2026, the campaign has rapidly escalated. It employs Cloudflare Workers redirects and infrastructure from Railway to harvest credentials. Various sectors, including construction, healthcare, and government, are affected. The campaign uses diverse techniques such as impersonation and lures, exploiting the OAuth device authorization flow to gain persistent access tokens, which remain valid even after password resets.
Read at The Hacker News
Unable to calculate read time
Collection
[
|
...
]