Arctic Wolf has recently observed a phishing campaign targeting Microsoft 365 that abuses the OAuth device code flow to trick victims into providing authentication codes. Threat actors use Railway’s Platform-as-a-Service (PaaS) infrastructure (a trusted cloud platform with valid IP addresses) to host attack components, allowing the activity to blend in with normal traffic. This enables threat acto...
This phishing campaign represents a sophisticated evolution in credential theft, exploiting trust in legitimate infrastructure and authentication flows. The use of Railway’s PaaS and Microsoft’s own login endpoints demonstrates how threat actors weaponize familiarity and technical compliance to bypass defenses. The device code flow, designed for limited-input devices, is repurposed as a vector for persistent access, highlighting a systemic vulnerability in OAuth implementations. The campaign’s s...