Researchers at Huntress say a phishing campaign abusing Railway cloud-hosting infrastructure has given attackers access to hundreds of Microsoft cloud accounts. The campaign used AI-generated, highly individualized lures and exploited Microsoft’s device OAuth flow to obtain long-lived tokens, prompting Huntress to push conditional access blocks for Railway domains. #Railway #Microsoft
Keypoints
- Attackers used Railway’s platform to host bespoke credential-harvesting infrastructure.
- AI-generated, non-repeating phishing lures helped the campaign evade standard email filters.
- The campaign exploited Microsoft’s device OAuth flow to obtain tokens valid for up to 90 days, bypassing passwords and MFA.
- Huntress observed hundreds of compromises across sectors and detailed 344 victims, while warning the total could be in the thousands.
- Huntress issued a conditional access update blocking Railway domains for 60,000 tenants and says it prevented post-compromise activity for its customers.
Read More: https://cyberscoop.com/huntress-railway-ai-phishing-campaign-compromised-hundreds-of-organizations/