Device code phishing bypasses MFA — 340+ M365 organizations compromised
The EvilTokens platform steals M365 tokens that survive password resets. Here is how to block the attack in Conditional Access.
Since February 2026, a phishing campaign has hit over 340 Microsoft 365 organizations across five countries. The campaign uses a PhaaS platform called EvilTokens and exploits the OAuth device code flow to steal refresh tokens. The worst part? MFA does not help. The victim completes the MFA challenge themselves, on behalf of the attacker.
Huntress reported on March 23 that they had blocked 113 attempts in addition to the ~350 confirmed compromises. The infrastructure runs on Railway.com, a PaaS platform that makes it trivial to spin up phishing servers.
How the attack works
The attacker sends a message — often via Teams or email — asking the victim to "verify their account" by entering a code at microsoft.com/devicelogin. The victim logs in, completes MFA, and thinks everything is normal. But the code belongs to the attacker's session. Result: the attacker gets a refresh token with full access to the M365 environment.
Refresh tokens survive password resets. Changing your password does not stop the attacker.
What you should do today
Three things, in priority order:
1. Block the device code flow. In Entra ID → Conditional Access → create a policy with the "Authentication flows" condition → block "Device code flow". Most SMB organizations do not use this flow and will not notice any difference.
2. Block Railway's IP ranges. Add 162.220.232.0/22 and 162.220.234.0/22 as blocked named locations in Conditional Access. If you see successful sign-ins from these IPs — that is a confirmed compromise.
3. Enable Continuous Access Evaluation (CAE). CAE reduces token revocation latency from about an hour to minutes. It makes a real difference during incident response.
If you have already been hit: revoke all refresh tokens for affected users immediately via the Entra ID portal.
How HaggeBurger can help
We offer an "OAuth Security Health Check" — a 2-hour review where we block the device code flow, configure CAE, search sign-in logs for compromise indicators, and review OAuth app consents in your tenant.
Want us to check your environment? Get in touch.
References: Huntress — Railway PaaS M365 Token Campaign, The Hacker News — Device Code Phishing