Cybersecurity firm Arctic Wolf published a report on a widespread phishing campaign targeting organizations across North America and EMEA. The attack, similar to the “Riding the Rails” campaign observed in March, exploits the OAuth 2.0 Device Authorization Grant, commonly known as device code flow, to gain unauthorized access to user accounts.
The campaign affects multiple sectors, including manufacturing, education, government, insurance, finance, and healthcare. Attackers use the Kali365 Live phishing-as-a-service (PhaaS) platform to scale operations and automate attacks.
Victims receive convincing phishing emails containing links or attachments that redirect them to a legitimate Microsoft device login page, where they are instructed to enter a short device code. Because authentication occurs via a trusted provider, no passwords or multi-factor authentication (MFA) codes are stolen. Instead, attackers obtain valid OAuth access and refresh tokens.
The tokens allow to get access to user mailboxes and carry out further malicious actions. In several cases, attackers created inbox rules to hide security alerts and maintain persistence. In some instances, threat actors registered additional devices within compromised environments.
Kali365 Live operates as a multi-tenant PhaaS ecosystem with a three-tier structure: administrators, resellers, and affiliates. The platform supports both device code phishing and adversary-in-the-middle (AitM) techniques. Features include automated lure generation in multiple languages, phishing pages hosted on Cloudflare Workers, and tools for sharing captured tokens.
Affiliates can quickly set up campaigns by paying subscription fees (from $250 for 30 days to $2,000 for 365 days) via cryptocurrency and configuring tools like Telegram bots for notifications. The platform also allows to generate branded phishing lures impersonating common enterprise services like Adobe Acrobat Sign, DocuSign, and SharePoint.
Security researchers also identified infrastructure linked to the campaign, including an IP address associated with the CLURE phishing kit.
“Since early 2026, device code phishing has scaled rapidly with the emergence of specialized tooling and PhaaS frameworks (such as EvilTokens) that automate lure generation, device-code handling, token polling, and post-compromise activity,” Arctic Wolf says. “Campaigns increasingly leverage cloud infrastructure, disposable front-end domains, and shared backend services to operate multiple concurrent operations while minimizing detection and operational cost.”