Threats & Attacks

Railway PaaS Weaponized in Mass Microsoft 365 Device Code Phishing Campaign

4 Min Read / March 24, 2026

A device code phishing campaign using Railway’s Platform-as-a-Service infrastructure has compromised Microsoft 365 accounts at hundreds of organizations across five countries. Cybersecurity researchers report that attackers have used Railway.com’s containerized hosting platform to deploy credential-harvesting infrastructure at machine speed with AI-generated phishing lures that bypass commercial email filters.

The campaign is attributed to EvilTokens’ Phishing-as-a-Service (PhaaS) platform, which was first advertised on NOIRLEGACY GROUP’s Telegram channel, with its first public post made on February 16, 2026. The campaign first appeared on February 19, 2026 with two additional cases surfacing on February 24. It accelerated sharply on March 2 and has continued at pace, targeting over 340 organizations in the US, Canada, Australia, New Zealand and Germany. As of March 23, 113 attempted compromises were blocked in addition to the approximately 350 successful attacks reported over the previous two weeks.

Device Code Flow Bypasses MFA Entirely

The attackers exploit Microsoft’s device code authentication flow, a legitimate feature designed for devices without web browsers. Users receive a code via email and enter it at Microsoft’s own login portal but the attacker harvests the resulting authentication tokens without ever touching the user’s password or MFA prompt. Security researchers confirmed the attack bypasses multi-factor authentication entirely because users authenticate on Microsoft’s legitimate endpoint.

What makes this campaign unusual is the diversity of attack vectors hitting the same victim pool through the same Railway.com IP infrastructure. Researchers observed construction bid lures, DocuSign impersonation, voicemail notifications and abuse of Microsoft Forms pages, all targeting the same organizations. The variety raises questions about whether this is one threat actor with an unusually broad toolset or multiple actors sharing the same backend.

AI Lures Eliminate Detection by Email Filters

Each phishing message was tailored to avoid exact duplication, leading researchers to conclude that “the campaign is leveraging automation or AI to operate at scale.” The personalized lures evade email filtering solutions precisely because no two messages are identical which is a problem traditional signature-based detection cannot solve.

Railway’s platform gives attackers clean IP reputation, automatic TLS certificates and no identity verification at the free tier. Rich Mozeleski told CyberScoop that “vetting and validation on the free use of their product could be improved,” comparing Railway unfavorably to services like MailChimp and HubSpot that have controls to prevent bulk abuse.

Railway solutions engineer Angelo Saraceno said the company was first contacted by Huntress on March 6 regarding phishing traffic from a specific IP address but provided no detail on remediation steps taken. The timing suggests Railway was unaware of the abuse for at least two weeks after it began.

Emergency Action Taken Across 60,000 Tenants

The scale of the campaign prompted an emergency conditional access policy update to 60,000 Microsoft cloud tenants on Wednesday, blocking emails from Railway domains, an action Mozeleski described as unprecedented. The emergency policy blocks known adversary IP addresses but only covers confirmed infrastructure for this specific campaign.

Researchers continued to see more than 50 compromises per day tied to Railway phishing domains as recently as Friday, March 22. The sustained volume suggests the attackers have established a reliable operational workflow using Railway’s infrastructure.

Block Device Code Flow If You Do Not Need It

Microsoft added an Authentication Flows condition to conditional access policies specifically to address device code phishing. If your organisation does not use device code authentication, block it entirely via conditional access. If you do need device code flow, restrict it to only the specific identities that require this method.

Enable Continuous Access Evaluation (CAE) to reduce token revocation latency from approximately one hour to minutes. Require compliant devices for Exchange Online and SharePoint, device code authentication cannot proceed if the device is not compliant when compliant devices are required.

Train users that inputting device codes, even into Microsoft’s legitimate authentication endpoint, is not necessarily safe. The attack succeeds because users trust Microsoft’s portal and enter codes they received via email without verifying the request’s authenticity.