Device Code Phishing Hits 340+ Microsoft 365 Orgs Across Five Countries via OAuth Abuse

2026-03-25

1 min read

by info@thehackernews.com (The Hacker News)

Read Original

Get the latest tech trends every morning

Receive daily AI-curated summaries of engineering articles from top tech companies worldwide.

Endigest AI Core Summary

This article covers an active device code phishing campaign abusing Microsoft 365's OAuth device authorization flow to compromise organizations across five countries.

•Over 340 organizations in the U.S., Canada, Australia, New Zealand, and Germany have been targeted since February 19, 2026
•Attackers exploit the OAuth device code flow to obtain access and refresh tokens that remain valid even after the victim's password is reset
•The attack chain abuses legitimate redirect services from Cisco, Trend Micro, and Mimecast, then routes victims through Cloudflare Workers and Railway.com infrastructure to harvest credentials
•A phishing-as-a-service platform called EvilTokens, debuted on Telegram, has been attributed as the orchestrator behind the Railway-hosted attacks
•

Device Code Phishing Hits 340+ Microsoft 365 Orgs Across Five Countries via OAuth Abuse

Get the latest tech trends every morning

Endigest AI Core Summary

Related Articles

China-Linked TA416 Targets European Governments with PlugX and OAuth-Based Phishing

Microsoft Details Cookie-Controlled PHP Web Shells Persisting via Cron on Linux Servers

UNC1069 Social Engineering of Axios Maintainer Led to npm Supply Chain Attack

Why Third-Party Risk Is the Biggest Gap in Your Clients' Security Posture