Device Code Phishing Hits 340+ Orgs: What Australian IT Managers Need to Know

The Rapid Escalation of Device Code Phishing in 2026

The cybersecurity landscape for Australian businesses has shifted dramatically in the early months of 2026. On February 19, 2026, security researchers first identified a highly sophisticated phishing campaign targeting Microsoft 365 identities. Since that initial discovery, the threat has moved with alarming speed, catching many traditional security frameworks off guard.

This is not a localized or minor incident. To date, over 340 organisations have been confirmed as victims of this specific campaign. The attack is concentrated across five primary nations: Australia, New Zealand, the United States, Canada, and Germany. For Australian IT managers, this highlights a targeted effort against Western business infrastructures that rely heavily on the Microsoft cloud ecosystem.

A Campaign Moving at Warp Speed

Security researchers at Huntress, who have been tracking the activity closely, report that the campaign is moving at an "accelerated pace." While many phishing waves take months to reach this scale, this operation has scaled to hundreds of organisations in just a few weeks. This rapid expansion suggests that the threat actors behind the campaign are using highly automated tools to identify and exploit targets.

For business owners, the speed of this escalation is the primary concern. Traditional monthly security reviews are no longer sufficient when a threat can compromise an entire organisation within days of its first appearance. Maintaining a proactive cybersecurity posture is now a baseline requirement rather than an optional extra.

Why Australian IT Managers Must Act Now

The geographic focus on Australia and New Zealand is particularly significant. It indicates that local firms are being actively scanned and targeted by the same sophisticated actors hitting major North American and European enterprises. Australian business owners can no longer assume that geographic distance provides any level of "security by obscurity."

The campaign specifically targets Microsoft 365 identities, which are the cornerstone of modern business communication and data storage. By compromising these identities, attackers gain a foothold into sensitive emails, financial records, and internal documents. This makes the current wave of phishing one of the most pressing threats to operational continuity in 2026.

Industry experts emphasize that this campaign requires immediate attention from leadership teams and technical staff alike. As the number of impacted organisations continues to climb, the window for implementing defensive measures is closing. Many companies are turning to managed IT services to provide the round-the-clock monitoring necessary to detect these fast-moving threats.

The insidious nature of this campaign lies in how it bypasses standard expectations of what a "fake" login looks like. To understand why this attack is so successful at tricking even savvy users, we must look at the specific technical flow the attackers are abusing.

Understanding the Mechanics of OAuth Device Code Abuse

The OAuth device authorization flow is a standard industry protocol designed for convenience. It was originally intended to help users sign into their accounts on devices with limited input capabilities, such as smart TVs, printers, or IoT hardware. Instead of forcing a user to type a complex password using a television remote, the device displays a short code and asks the user to enter it on a separate computer or smartphone.

Cybercriminals have identified this legitimate feature as a powerful path for exploitation. In a device code phishing attack, the goal is not to steal a password through a fraudulent website. Instead, the attacker tricks the user into authorizing a session that the attacker already controls. This makes the threat uniquely dangerous for Australian businesses using advanced cloud solutions.

How the Attack Starts: API Manipulation

The process begins with a technical request initiated by the threat actor. Using automated tools, attackers initiate the process by making a cURL request to the Microsoft device code login API to generate a specific code. This request tells Microsoft's servers that a new device is attempting to connect to an account, even though no such device actually exists.

At this point, the generated code is essentially a blank key. As the researchers at Huntress noted, "while that code is useless by itself, once the victim has been tricked into authenticating, the resulting tokens now belong to anyone who knows which device code was used." The attacker simply waits for the victim to perform the heavy lifting of authentication.

The Phishing Phase: Leveraging Trust

To move to the next stage, the attacker sends a phishing message to a target within an organisation. This message directs the user to a legitimate Microsoft authentication page and provides the code generated in the previous step. Because the user is redirected to a genuine Microsoft domain, standard cybersecurity filters and savvy employees often fail to see the red flags.

Once the victim is tricked into authenticating using that code on a legitimate Microsoft page, the authentication process is completed on Microsoft’s own servers. The user believes they are simply verifying a login for a work tool or a new device. In reality, they are providing the final piece of the puzzle that the attacker needs to bypass their security perimeter.

Harvesting Persistent Access Tokens

The final step of the mechanic involves retrieving the proof of authentication. Once the victim completes the login, the attacker gains access to the resulting tokens via the OAuth token API endpoint. Because the attacker holds the original device code used to start the session, they can now claim the "reward" of the successful login.

This process results in the attacker obtaining a set of session tokens that grant them access to the user's Microsoft 365 data. Huntress explained the danger clearly: "Once the user has fallen victim to the phish, their authentication generates a set of tokens that now live at the OAuth token API endpoint and can be retrieved by providing the correct device code." The attacker essentially hijacks the identity without ever needing to touch the user's actual password.

This sophisticated flow circumvents many of the security assumptions that Australian IT managers rely on daily. Because the authentication takes place on Microsoft’s infrastructure, the tokens generated carry the full weight of a verified user session. This leads to a significant problem for those attempting to remediate the breach after the fact.

Why Traditional Password Resets Fail to Stop This Attack

For most Australian IT managers, the immediate response to a suspected account compromise is a forced password reset. This standard operating procedure is designed to lock out intruders by invalidating their known credentials. However, in the context of the current device code phishing campaign, this common security practice is largely ineffective. The fundamental danger of this method is that it bypasses the password entirely once the initial connection is established.

The primary reason for this failure lies in the nature of OAuth tokens. When a victim is tricked into authenticating via the device code flow, the process generates a set of tokens that live at the OAuth token API endpoint. According to security researchers at Huntress, a significant and alarming fact is that "the tokens remain valid even after the account's password is reset." This means the "key" the attacker holds does not rely on the password they never actually stole.

The Persistence of OAuth Tokens

This attack grants threat actors persistent access tokens, which are designed to keep a user logged in without requiring constant re-authentication. Because these tokens are already validated through a legitimate Microsoft login process, they allow attackers to maintain control over Microsoft 365 accounts for extended periods. This control can continue indefinitely without the need for further user interaction, even if the user updates their security credentials or changes their password multiple times.

By leveraging these persistent tokens, cybercriminals can quietly seize control of victim accounts to monitor communications or exfiltrate data. This level of access is far more dangerous than a simple credential theft because it circumvents the most common security gate: the login screen. Once the tokens are harvested, the attacker is essentially "inside" the session, operating with the same permissions as the legitimate user.

Exploiting Legitimate Infrastructure

Another reason this campaign is so difficult to stop is that the authentication flow happens entirely on legitimate Microsoft infrastructure. When an employee is prompted to enter a code, they are directed to the official Microsoft device login page. There are no suspicious domain names, no misspelled URLs, and no fraudulent websites for a user to identify as a red flag. This technique is insidious because it gives users no reason to suspect anything is amiss during the login process.

Traditional security filters and email gateways also struggle to detect this activity for the same reason. These tools are often configured to trust traffic going to and from official Microsoft endpoints. Because the phishing attempt redirects the session through a "legitimate" flow, it often fails to trigger the automated alerts that would catch a standard credential-harvesting site. For many Australian businesses, this means the first sign of a breach might not appear until long after the tokens have been stolen.

Protecting a modern business requires moving beyond basic credential management. Advanced cloud solutions and identity monitoring are necessary to identify when these tokens are being misused. Relying on a password reset as a primary defense leaves a massive blind spot that sophisticated threat actors are currently exploiting with great success. Understanding the underlying infrastructure used to manage these attacks is the next step in securing your organisation's data.

The Infrastructure: Cloudflare Workers and Railway PaaS

Modern cybercriminals no longer rely solely on shady, blacklisted domains to host their malicious operations. Instead, they are increasingly adopting "living off the cloud" techniques to mask their activities and bypass traditional security perimeters. By hosting their attack infrastructure on high-reputation platforms, they can effectively blend in with legitimate business traffic and stay under the radar for longer periods.

This specific campaign highlights a sophisticated use of Cloudflare Workers and the Railway PaaS platform to facilitate large-scale identity theft. By leveraging these legitimate tools, the threat actors have created a resilient and highly scalable environment that is difficult for automated systems to flag. For Australian IT managers, this represents a significant shift in the technical complexity of phishing delivery.

Leveraging Cloudflare Workers for Stealthy Redirects

The attackers use Cloudflare Workers to manage the initial redirects of their phishing traffic. Cloudflare Workers is a serverless platform that allows developers to run code at the "edge," providing high performance and reliability. In this scenario, it serves as a highly effective shield for the attackers' backend infrastructure, ensuring that the initial point of contact for the victim appears to be a trusted global content delivery network (CDN).

This technique makes the phishing attempts significantly harder to block via standard DNS filtering. Traditional blocklists often rely on identifying and banning malicious domains or IP addresses. However, when the malicious redirect is hosted on a legitimate subdomain of a trusted provider, blocking the entire domain would cause massive collateral damage to legitimate web services. This makes it much easier for the traffic to bypass cybersecurity filters that rely on reputation-based scoring.

Furthermore, using edge computing for redirects allows the attackers to hide the final destination of the traffic until the very last moment. This obfuscation layer prevents security crawlers from easily identifying the credential harvesting site during routine scans. As a result, the malicious links remain active for longer, increasing the likelihood that an employee will eventually click through and provide their credentials.

Railway PaaS: The Credential Harvesting Engine

Once the victim’s session is captured via the Cloudflare redirect, it is sent to infrastructure hosted on a platform-as-a-service (PaaS) offering called Railway. Railway is a popular tool among developers for deploying and scaling applications quickly. In the hands of threat actors, it functions as a robust "credential harvesting engine" according to security researchers at Huntress. This environment provides the necessary computing power to handle hundreds of compromised sessions simultaneously.

By using a PaaS provider like Railway, the attackers avoid the need to purchase and manage their own physical or virtual servers, which are easier for law enforcement or security vendors to track and seize. "Notably, the campaign leverages Cloudflare Workers redirects with captured sessions redirected to infrastructure hosted on a platform-as-a-service (PaaS) offering called Railway, effectively turning it into a credential harvesting engine," researchers noted. This agility allows the campaign to stay active even if specific individual links are flagged and removed.

Bypassing Signature-Based Security at Scale

Most traditional security tools rely on "signatures"—known patterns of malicious code or behaviour—to identify threats. However, because these attackers are using legitimate cloud solutions, there is no inherently "malicious" signature to detect at the network level. The traffic looks like standard API calls between a user's browser and a trusted cloud provider, which is typical behaviour for modern web applications.

This strategic use of legitimate infrastructure is why the campaign has been able to impact over 340 organisations so rapidly across Australia and other Western nations. By adopting the same tools used by legitimate DevOps teams, the attackers can scale their operations quickly while remaining invisible to signature-based tools. This level of technical orchestration points to a highly professionalised operation rather than an isolated incident by low-level actors.

The technical sophistication of this infrastructure suggests that the actors involved are far from amateurs, with a history of similar activity linked to well-known global threat groups.

A History of State-Aligned Threat Actors and Evolving Waves

While the current wave of attacks targeting Australian businesses intensified in early 2026, the groundwork for these exploits was laid much earlier. Security researchers at Microsoft and Volexity first documented the use of device code phishing in February 2025. This early discovery provided a glimpse into a new frontier of identity-based attacks that bypass traditional password protections. Following those initial reports, Amazon Threat Intelligence and Proofpoint identified subsequent waves, showing that the technique was rapidly becoming a staple in the modern attacker's toolkit.

The history of this threat reveals a worrying trend of adoption by multiple sophisticated entities. Attribution for these campaigns has consistently pointed toward Russia-aligned threat actors with significant technical capabilities. Groups such as Storm-2372, UTA0304, UTA0307, and UNK_AcademicFlare have all been linked to the use of these OAuth-abusing techniques. This shared methodology suggests a level of strategic coordination or "best practice" sharing among state-aligned groups targeting Western infrastructure.

The Involvement of APT29

The participation of APT29 is particularly noteworthy for IT professionals monitoring this situation. APT29 is a well-known, highly disciplined threat actor group typically associated with state-level intelligence gathering. Their move into device code phishing suggests that this is far more than a basic "script-kiddie" operation or a low-level financial scam. Instead, it is a targeted effort by professional threat actors designed to gain deep, persistent access to sensitive cloud environments.

When groups like APT29 are involved, the complexity of the attack usually exceeds what standard automated tools can catch. These actors specialize in remaining undetected while pivoting through a network, making the initial compromise through device codes just the beginning of their operation. For Australian organisations, this underscores the importance of having an advanced cybersecurity strategy that assumes a high level of attacker persistence. Relying on basic security measures is often insufficient when facing adversaries with state-level resources.

From Research Documentation to Global Campaign

The journey from the first documentation in early 2025 to the 340+ organisations impacted today shows how quickly a proof-of-concept can become a global crisis. What began as a technique observed by elite security teams has been weaponized into a high-speed engine for credential harvesting. The evolution of these waves demonstrates that once a vulnerability in a legitimate flow like OAuth is found, state-aligned actors will scale its use until organisations adapt.

Australian business owners must recognise that they are being caught in the crosshairs of global cyber-espionage tactics. The shift from stealing passwords to hijacking persistent tokens is a strategic move intended to keep attackers inside a network even after a security breach is suspected. This historical context makes it clear that the infrastructure used to carry out these attacks is as robust as the groups managing them. Understanding the nature of this threat is the first step toward securing your managed IT environment against future waves.

The sophisticated nature of these state-aligned groups is reflected in the advanced infrastructure they use to hide their tracks and scale their operations.

Protecting Australian Microsoft 365 Environments

The rise of device code phishing presents a unique challenge for IT managers across Australia. Most organisations rely on Multi-Factor Authentication (MFA) as their primary line of defence, but this campaign is specifically designed to bypass that protection. Because the user is performing what appears to be a legitimate MFA login, the security system treats the event as a standard, authorised access request. The attacker does not need to break the MFA; they simply wait for the user to complete it and then hijack the resulting session tokens.

The Insidious Nature of the Attack

This campaign is notably insidious because it uses the real Microsoft login flow rather than a fraudulent look-alike website. When an employee follows the phishing prompt, they are interacting with official Microsoft infrastructure. This leaves the user with no reason to suspect a breach is in progress, as all branding and URLs appear completely authentic. Security researchers at Huntress note that "the technique is insidious, not least because it leverages legitimate Microsoft infrastructure to perform the device code authentication flow."

For an IT manager, this means that traditional user training may no longer be enough. Employees are often taught to look for misspelled domains or suspicious layouts, but those red flags are absent here. This creates a significant blind spot in many standard cybersecurity awareness programs. Without specific education on how the OAuth device code flow can be abused, even the most diligent employees can inadvertently grant access to threat actors.

Persistent Access and Long-Term Risk

One of the most critical facts for Australian business owners to understand is the persistence of this threat. Once a victim authenticates using the attacker's code, the resulting tokens are generated and stored at the OAuth token API endpoint. These tokens provide the attacker with ongoing access to the Microsoft 365 environment. Research confirms that these tokens remain valid even after the account's password has been reset, making standard recovery efforts insufficient.

This persistent access allows cybercriminals to maintain control over sensitive accounts for extended periods without needing further interaction from the user. Even if an IT department detects a suspicious login and forces a password change, the attacker may still hold a valid session. This makes the incident response process far more complex than a standard phishing case. It requires a deep understanding of session management and token revocation to fully secure the environment after an encounter.

Maintaining Vigilance in the Australian Landscape

Organisations across the country must stay vigilant as researchers continue to track this active and evolving campaign. The threat actors are shifting their infrastructure to stay ahead of security tools, using platforms like Railway and Cloudflare Workers to manage their operations. This level of sophistication is often associated with state-aligned groups, making it a high-tier threat for local businesses. Relying on basic security settings is no longer enough to protect sensitive corporate data.

As the campaign impacts more organisations in Australia and New Zealand, proactive monitoring of identity flows is essential. Many local firms are finding that managed IT services provide the necessary expertise to detect these advanced identity-based attacks. Maintaining a strong defensive posture requires constant attention to how these sophisticated actors are manipulating trusted cloud services. The history of the groups involved in these attacks provides even more clarity on why this current wave is so dangerous for the global business community.

Sources

• https://thehackernews.com/2026/03/device-code-phishing-hits-340-microsoft.html
• https://www.reddit.com/r/SecOpsDaily/comments/1s3a4hn/device_code_phishing_hits_340_microsoft_365_orgs/
• https://www.infosecurity-magazine.com/news/oauth-phishing-campaigns/
• https://www.microsoft.com/en-us/security/blog/2025/02/13/storm-2372-conducts-device-code-phishing-campaign/
• https://www.paubox.com/blog/phishing-campaigns-abuse-oauth-device-codes-to-access-microsoft-accounts
• https://www.proofpoint.com/us/blog/threat-insight/access-granted-phishing-device-code-authorization-account-takeover