Threat Actors Abuse Railway.com PaaS as Microsoft 365 Token Attack Infrastructure

Huntress documents an active, high-volume device-code phishing campaign that weaponizes Railway.com infrastructure and a separate phishing delivery ecosystem (including workers.dev, compromised sites, and email-security URL rewriters) to harvest Microsoft 365 OAuth tokens across 344 organizations; the report includes IOCs (Railway IP ranges and CIDRs, Cloudflare workers patterns, UA fingerprints), attribution to the EvilTokens phishing-as-a-service platform, detailed detection queries, and remediation guidance such as blocking Railway CIDRs, revoking refresh tokens, and tightening Conditional Access.