https://jh.live/flare-040826 || Manage threat intelligence and your exposed attack surface with Flare! Try a free trial and see what info is out there: https://jh.live/flare-040826

https://www.huntress.com/blog/railway-paas-m365-token-replay-campaign

Learn Cybersecurity and more with Just Hacking Training: https://jh.live/training
See what else I'm up to with: https://jh.live/newsletter

ℹ️ Affiliates:
Learn how to code with CodeCrafters: https://jh.live/codecrafters
Host your own VPN with OpenVPN: https://jh.live/openvpn
Get Blue Team Training and SOC Analyst Certifications with CyberDefenders: https://jh.live/cyberdefense

John Hammond

A large-scale AI-powered phishing campaign targeting Microsoft 365 accounts via device code authentication abuse is detailed. The campaign, attributed to a phishing-as-a-service operation called 'Evil Tokens,' hit over 340 organizations globally starting late February and exploding in March. Attackers use AI to generate unique, personalized phishing lures per victim, hosted on legitimate platforms like Railway and Cloudflare Workers, bypassing email security filters by chaining trusted redirect domains (Cisco, Mimecast, Trend Micro). The technique exploits Microsoft's device code authentication flow to harvest tokens and bypass MFA without the victim realizing. Threat intelligence firm Flare helped attribute the campaign by monitoring Evil Tokens' Telegram channel, where the group openly sells their tooling with subscription plans, referral programs, and AI-assisted features.

HUGE AI-powered Microsoft Account phishing campaign