A new device code phishing attack campaign has compromised over 340 organizations across five countries, including Canada, since February 19, 2026, and the pace is accelerating. Researchers at Huntress, who published their analysis this week, found that multi-factor authentication provides no protection against this attack class. Employees who complete MFA challenges believe they are signing in securely, but they are unknowingly handing attackers persistent access to their Microsoft 365 accounts. For organizations relying on ongoing security awareness training to prepare their workforce, the mechanics of this attack reveal exactly the kind of evolving threat that annual compliance modules were never built to address.
How the Device Code Phishing Attack Works
Microsoft’s OAuth 2.0 device authorization flow was designed for a practical purpose: letting users sign into devices without keyboards, like Smart TVs or gaming consoles, by visiting a URL and entering a short code. Attackers have turned this legitimate mechanism into a phishing engine. The attacker requests a device code from Microsoft, then sends the victim an email designed to look like a voicemail notification, a DocuSign signing request, or a construction bid invitation. When the victim clicks the link, the phishing page already displays a valid device code and a “Continue to Microsoft” button that opens the real Microsoft login page at microsoft.com/devicelogin.
The victim signs in, completes the MFA challenge, and believes nothing unusual has happened. But because the device code was generated by the attacker, the resulting authentication tokens belong to them. Those tokens remain valid even after the account’s password is reset, which means a compromised account can stay compromised even after IT believes the situation has been resolved. This is what makes device code phishing fundamentally different from credential theft: there is no stolen password to change.
Why Canadian Organizations Are in the Crosshairs
Canada is explicitly among the five countries being targeted in the active campaign, alongside the United States, Australia, New Zealand, and Germany. The sectors most affected include financial services, healthcare, legal, government, and non-profits, all categories that hold sensitive data and frequently operate with limited dedicated cybersecurity capacity. This is not incidental. Organizations with fewer security layers between a phishing email and a successful account takeover are more attractive targets, not less.
The threat has also become professionally organized. The campaign is driven by EvilTokens, a phishing-as-a-service platform that appeared on Telegram in February 2026, offering email phishing templates, spam filter bypass tools, and a 24/7 support channel. Earlier waves of device code phishing were attributed to Russian state-aligned groups including Storm-2372 and APT29. The commercialization of the technique means the threat pool now extends well beyond state actors, and any Canadian organization using Microsoft 365 is a viable target.
When MFA Becomes Part of the Attack
This campaign deserves particular attention from anyone responsible for security culture, because it directly weaponizes behaviors that security training created. Employees have been taught for years to trust the Microsoft login page, to complete MFA prompts without hesitation, and to treat the combination of a password plus a one-time code as a reliable signal that a transaction is safe. Device code phishing exploits all three of those learned behaviors simultaneously. The victim does everything right by their training, and still gets compromised.
Huntress researchers noted that phishing pages in this campaign disable right-click functionality, text selection, and developer tools, while detecting open browser developer panels and triggering an infinite debugger loop to block investigation. According to Huntress, just three malicious Railway.com IP addresses account for roughly 84% of observed attack events since mid-February 2026. The infrastructure is tightly coordinated, and it runs through legitimate Microsoft endpoints, giving employees no visible reason to distrust what they are seeing.
Practical Steps for Employees and IT Teams
The behavioral lesson for employees is direct: any email that prompts you to enter a code at a Microsoft login page, when you did not initiate a login yourself, should be treated as suspicious. Legitimate device code flows are initiated by the user on a device they are setting up, not delivered by an incoming email from a vendor or colleague. Employees who receive unexpected prompts to enter codes should contact IT before proceeding, and should feel equally comfortable reporting odd authentication experiences after the fact, without fear of judgment for having completed the flow.
Building that instinct requires training that reflects the current threat landscape. Phishing simulations that include OAuth and device code lures, not just generic email link scenarios, give employees hands-on experience with this exact category of attack before they encounter it for real. A workforce that has seen a simulated device code lure will recognize the pattern when it arrives in their inbox. One that has only practiced spotting classic email phishing will not.
On the technical side, IT teams should audit Microsoft 365 sign-in logs for authentication attempts originating from Railway.com IP addresses, revoke all refresh tokens for any affected accounts rather than simply resetting passwords, and review whether Conditional Access policies can restrict device code flow authentication for users who do not require it. Technical controls treat the symptom. The underlying condition is a workforce that has not been prepared for the specific way this attack exploits familiar processes. A human risk management approach that keeps training current as threats evolve is what closes that gap before the next wave of this campaign reaches a Canadian inbox.
Sources
- Device Code Phishing Hits 340+ Microsoft 365 Orgs Across Five Countries via OAuth Abuse | The Hacker News
- OAuth Device Code Phishing Campaigns Surge, Targets Microsoft 365 | Infosecurity Magazine
- CSA Research Note: OAuth Device Code Phishing M365 | Cloud Security Alliance
- Microsoft 365 Accounts Targeted in Wave of OAuth Phishing Attacks | BleepingComputer
