EvilTokens PhaaS Abuses Railway PaaS for M365 Attacks

by CyberNewsAI Admin
Threat IntelligenceCloud DefenseData Breaches

Executive Summary

Huntress is tracking a high-velocity, multi-faceted phishing campaign targeting Microsoft 365 identities across more than 340 organizations. The activity, which began in February 2026 and accelerated in March 2026, has been attributed to the EvilTokens Phishing-as-a-Service (PhaaS) platform. The threat actor is weaponizing the Railway.com Platform-as-a-Service (PaaS) to stand up ephemeral token-harvesting infrastructure. The primary attack vector is device code phishing, which exploits the OAuth device authorization flow to acquire persistent access and refresh tokens, effectively bypassing multi-factor authentication. The campaign is notable for its operational scale, lure diversity, and sophisticated use of redirect chains involving legitimate services to evade security controls.

Threat Actor & Attribution

EvilTokens Phishing-as-a-Service (PhaaS)

This campaign has been attributed to the EvilTokens PhaaS platform. First advertised on the NOIRLEGACY GROUP Telegram channel, EvilTokens became publicly active around February 16, 2026, coinciding with the initial compromises observed by Huntress. The service provides threat actors with a suite of tools including a “B2B Sender,” an “Office 365 Capture Link,” and an “SMTP Sender.” The platform boasts AI-powered workflows to bypass email filters and tailor phishing lures, and provides customers with a dashboard of open redirect links to obfuscate attack infrastructure.

Key Findings

Finding: PaaS Abuse for Attack Infrastructure

The adversary is leveraging the Railway.com PaaS provider to host its token replay and harvesting engine. By using a legitimate developer platform, the actor benefits from a clean IP reputation, as Microsoft Identity Protection does not inherently score logins from these ranges as risky. The observed attack traffic originates from a narrow block of Railway.com IPs, indicating a small number of deployed applications rather than a distributed botnet. The PaaS model allows the actor to rapidly deploy and tear down infrastructure with minimal friction.

Finding: Device Code Phishing Vector

The core TTP is device code phishing, which exploits a legitimate Microsoft authentication flow designed for input-constrained devices. The actor generates a device code and tricks the victim into entering it at the legitimate microsoft.com/devicelogin endpoint. Once the victim authenticates, the attacker's backend retrieves the resulting OAuth access and refresh tokens, granting them access for up to 90 days, which persists even after a password reset. A key innovation in this campaign is rendering the device code directly on the phishing landing page, streamlining the attack for the victim.

Finding: Sophisticated Multi-Hop Delivery Chain

To evade email security gateways, the attacker utilizes multi-hop redirect chains (2-5 hops). Malicious links are frequently wrapped in legitimate URL rewriter services from security vendors like Cisco Secure Email, Trend Micro URL Protection, and Mimecast URL Protection. These chains also traverse compromised websites and legitimate platforms such as Vercel and Cloudflare Workers, making it difficult to block the attack based on any single URL or domain reputation.

Finding: Diverse and Automated Lure Generation

The campaign features an unprecedented diversity of phishing lures, with no two messages being identical. This variance, which includes themes like construction bid proposals, DocuSign requests, and voicemail notifications, suggests the use of automation or AI to generate personalized lures at scale. This tactic significantly degrades the effectiveness of signature-based email filtering. The actor also abused the Microsoft Dynamics 365 “Customer Voice” feature, using customervoice.microsoft.com URLs to initiate the phishing flow.

Finding: Curated User Agent Spoofing

The authentication requests originating from Railway.com use a curated set of User Agent (UA) strings to mimic a realistic enterprise browser population. These UAs include current Windows 11 build numbers (OS/10.0.26200 for 24H2) and rotate between Chrome and Edge browsers. One notable anomaly is a synthetic UA for an iPhone iOS 18.7 with a non-existent Safari Version/26.3, which serves as a high-fidelity detection opportunity.

Impact & Scope

Scale of Compromise

As of late March 2026, the campaign has impacted over 340 organizations across the United States, Canada, Australia, New Zealand, and Germany. The first case was observed on February 19, 2026, with a significant spike in activity starting on March 2, 2026.

Targeted Sectors

The actor has targeted a wide range of sectors, with a significant focus on industries handling sensitive financial and legal data. Key targets include:

  • Law Firms (18 organizations)
  • Construction & Trades (26 organizations)
  • Real Estate (14 organizations)
  • Finance & Insurance (12 organizations)
  • Healthcare (11 organizations)
  • Government & Public Safety (8 organizations)

Mitigation & Response

Immediate Actions

  • Hunt for Malicious Logins: Query sign-in logs for any successful authentications from the Railway.com IP ranges listed in the IOCs. Any successful login should be treated as a confirmed compromise.
  • Revoke User Sessions: For any identified compromised accounts, immediately revoke all refresh tokens using Revoke-AzureADUserAllRefreshTokens or the Microsoft Entra ID portal.
  • Block Malicious IPs: Implement a Conditional Access Policy to block inbound authentications from the known Railway.com CIDR blocks if no legitimate business use exists for the service.

Strategic Hardening

  • Restrict Device Code Flow: If not required for business operations, block the OAuth device code authentication flow entirely using Conditional Access. If it is required, restrict its use to specific named users or locations.
  • Enforce Device Compliance: Require device compliance for access to critical applications like Exchange Online and SharePoint Online. This can prevent the device code flow from completing.
  • Enable Continuous Access Evaluation (CAE): CAE dramatically reduces token revocation latency from hours to near real-time, mitigating the impact of a stolen token.
  • User Training: Educate users on the specific threat of device code phishing, emphasizing that even authenticating on a legitimate Microsoft page can be malicious if initiated from a phishing lure.

Indicators of Compromise (IOCs)

Malicious IP Addresses

  • 162.220.234[.]41 (Dominant token attack engine)
  • 162.220.234[.]66 (Secondary token attack engine)
  • 162.220.232[.]57
  • 162.220.232[.]99
  • 162.220.232[.]235

Malicious CIDR Blocks

  • 162.220.232[.]0/22
  • 162.220.234[.]0/22

Behavioral IOCs

  • Authentication Signal: Sign-in logs showing cmsi:cmsi from a Railway.com Autonomous System (AS) IP address is a high-confidence indicator of device code authentication.
  • User Agent Anomaly: Look for authentications from cloud provider IP ranges with the User Agent string containing iPhone OS 18 and Safari Version/26.x.

// INTELLIGENCE_SOURCES

[Huntress][The Hacker News]

// INITIALIZE_SUBSCRIPTION

Receive critical threat intelligence briefings directly to your feed. Join the CyberNewsAI operations center.

SUBSCRIBE_NOW