Cybersecurity researchers are calling attention to an active device code phishing campaign that's targeting Microsoft 365 identities across more than 340 organizations in the U.S., Canada, Australia, New Zealand, and Germany.
The activity, per Huntress, was first spotted on February 19, 2026, with subsequent cases appearing at an accelerated pace since then.
Notably, the campaign leverages Cloudflare Workers redirects with captured sessions redirected to infrastructure hosted on a platform-as-a-service (PaaS) offering called Railway, effectively turning it into a credential harvesting engine.
Construction, non-profits, real estate, manufacturing, financial services, healthcare, legal, and government are some of the prominent sectors targeted as part of the campaign.
"What also makes this campaign unusual is not just the device code phishing techniques involved, but the variety of techniques observed," the company said.
"Construction bid lures, landing page code generation, DocuSign impersonation, voicemail notifications, and abuse of Microsoft Forms pages are all hitting the same victim pool through the same Railway.com IP infrastructure."
Device code phishing refers to a technique that exploits the OAuth device authorization flow to grant the attacker persistent access tokens, which can then be used to seize control of victim accounts.