Threat Research

Threat Actors Abuse Railway.com PaaS as Microsoft 365 Token Attack Infrastructure | Huntress

Huntress
Threat Actors Abuse Railway.com PaaS as Microsoft 365 Token Attack Infrastructure | Huntress

Huntress linked a large-scale Microsoft 365 device-code phishing campaign to the EvilTokens Phishing-as-a-Service ecosystem and Railway.com PaaS infrastructure, which provided token-harvesting backends and scalable phishing tooling. The campaign used multi-hop redirect chains and trusted third-party services (including Cloudflare workers and email-security URL rewriters) to evade filters, prompting Huntress to block Railway IP ranges and push Conditional Access mitigations. #EvilTokens #Railway

Keypoints

  • Huntress attributed the Railway-hosted token-harvesting activity to the EvilTokens PhaaS platform, which publicly launched in February 2026 and offers Capture Link, B2B Sender, and SMTP Sender products with AI-assisted features.
  • The primary attack technique was device code phishing that harvested OAuth tokens (including refresh tokens valid up to 90 days), enabling persistent access despite password resets or MFA.
  • Most authentication abuse originated from a narrow set of Railway IPs (e.g., 162.220.234[.]41 and 162.220.234[.]66), with three IPs accounting for ~84% of observed events.
  • Adversaries used multi-hop redirect chains and abused trusted services—email-security URL rewriters (Cisco, Trend Micro, Mimecast), compromised websites, vercel.app/amplifyapp hosts, and Cloudflare workers.dev—to launder links and bypass email filters.
  • The campaign targeted 344 organizations across the US, Canada, Australia, New Zealand, and Germany, hitting diverse sectors (construction, law firms, manufacturing, finance, healthcare, government) and showing wide lure variety (RFPs, DocuSign, voicemail, Customer Voice forms).
  • Huntress mitigations included blocking Railway CIDR blocks via Conditional Access Named Locations, pushing Conditional Access Policies to eligible tenants, and reporting workers.dev instances to Cloudflare for takedown.
  • Detection and response recommendations emphasized hunting Railway IP logins, revoking affected users’ refresh tokens, enabling Continuous Access Evaluation (CAE), restricting device code flows, and targeted user training on device-code lures.

MITRE Techniques

  • No MITRE ATT&CK techniques are explicitly referenced in the article.

Indicators of Compromise

  • [IP Address ] Railway token-harvesting infrastructure – 162.220.234[.]41 (primary token engine), 162.220.234[.]66 (secondary token engine)
  • [CIDR Block ] Recommended perimeter blocking / observed Railway ranges – 162.220.232[.]0/22, 162.220.234[.]0/22 (plus additional reported CIDRs such as 152.55.176.0/20 and 2607:99c0::/32)
  • [Domain / Platform ] Phishing hosting and redirect services used in chains – workers.dev (Cloudflare Workers), customervoice.microsoft[.]com (Microsoft Dynamics 365 Customer Voice)
  • [Third‑party services ] Legitimate platforms abused for lures – vercel[.]app, amplifyapp[.]com (file-download lures hosted on these platforms)
  • [Behavioral authentication IOCs ] Indicators in authentication telemetry – cmsi (successful device-code authentication signals), oauth2:token + BAV2ROPC (programmatic refresh token exchange indicating automated/persistent access)
  • [User Agent strings ] Synthetic or identifying UA patterns used by attacker tooling – iPhone UA with Version/26.x (synthetic mobile UA detection opportunity), BAV2ROPC UA string (programmatic/scripted access)

Read more: https://www.huntress.com/blog/railway-paas-m365-token-replay-campaign