Arctic Wolf

Arctic Wolf Customer,

Arctic wolf has recently observed an ongoing phishing campaign targeting Microsoft 365 that leverages device code phishing to obtain tokens, automated token replay to bypass MFA, and Railway PaaS infrastructure to operationalize the campaign at scale while blending into normal traffic. Arctic Wolf is actively investigating this campaign, has developed detections, and is alerting customers if/when this activity is observed. All organizations are strongly recommended to review this security bulletin.

Summary

Arctic Wolf has recently observed a phishing campaign targeting Microsoft 365 that abuses the OAuth device code flow to trick victims into providing authentication codes. Threat actors use Railway’s Platform-as-a-Service (PaaS) infrastructure (a trusted cloud platform with valid IP addresses) to host attack components, allowing the activity to blend in with normal traffic. This enables threat actors to steal valid access and refresh tokens and bypass multi‑factor authentication protections.

Threat actors are using a variety of phishing lures, all personalized to the intended victims. These lures are often delivered through multi‑hop redirect chains that lead victims to enter codes on Microsoft’s official login endpoints. Once a victim submits a code, threat actors can use the resulting access and refresh tokens to maintain ongoing access to Microsoft 365 resources without requiring the victim’s password. The refresh tokens can be reused to generate new access tokens, allowing persistent access over time.

This activity was attributed to the EvilTokens phishing-as-a-service platform, which emerged in February 2026. Consistent with observations documented by Huntress, Arctic Wolf has observed hundreds of organizations impacted across multiple regions. The campaign remains active and continues to pose a significant risk to organizations globally.

Arctic Wolf has Managed Detection and Response detections in place that apply to activities observed in this campaign, and will continue to notify customers when new instances of this threat are observed.

Arctic Wolf is a customer of its own products/services and so we will follow the same recommendations outlined for our customers in this Security Bulletin.

Recommendation

Device Code Flow is designed for devices that lack local input capabilities (e.g., smart TVs, IoT devices, conference room displays). However, threat actors increasingly abuse this authentication method in phishing attacks. Arctic Wolf strongly recommends blocking Device Code Flow using Conditional Access (CA) policies where not explicitly required. MDR Customers can request a spot check from their security engineer to identify sign-ins using the Device Code Flow authentication method.

  • Create a CA policy targeting “All users” → “All cloud apps” → Conditions: Authentication flows → Device code flow → Block.

If device code flow is required for specific scenarios (e.g., conference room devices), restrict it by:

  • Limiting to specific network locations (trusted IPs)
  • Limiting to specific device platforms (e.g., Android only for meeting room devices)
  • Limiting to specific user groups (service accounts for IoT/signage)

Additionally, enable sign-in risk policies via Microsoft Entra ID Protection to detect anomalous or suspicious sign-ins.

Implement Security Awareness Training

Arctic Wolf strongly recommends implementing comprehensive security awareness training to equip users with the skills needed to quickly identify and report suspicious activity, including the tactics observed in this campaign.

Arctic Wolf offers several phishing-focused modules within its Managed Security Awareness product to help users recognize and respond to the types of threats outlined in this bulletin.

References

If you have any additional questions, please reach out to your CST at security@arcticwolf.com.

Thank you,
Arctic Wolf


Follow us:

.