TTPwire Vol. 1 · MITRE ATT&CK·Tagged

← All stories

Huntress

Threat Actors Abuse Railway.com PaaS as Microsoft 365 Token Attack Infrastructure

2026-03-23 · Read original ↗

ATT&CK techniques detected

18 predictions
T1566.002Spearphishing Link
98%
"not a botnet. the phishing infrastructure : a separate ecosystem upstream of the railway token - harvesting engine sits a phishing delivery infrastructure that tells its own story. based on shared intelligence and analyst observations, several technical signatures appear consiste…"
T1566.002Spearphishing Link
98%
". the victim ' s email security stack sees a cisco or trend micro link and passes it. the attacker is not defeating email security ; they ' re using competitors ' deployed infrastructure to launder their links and bypass spam filters. multi - hop redirect chains ( 2 – 5 hops ) th…"
T1566.002Spearphishing Link
95%
"the victims were clicking through two or three layers to get to the final stage of the attack. examples of services seen used in the attacks : - wixsite [. ]. com - web hosting and creation platform for phishing lure site - www. taskade [. ] com - ai app building platform for phi…"
T1566.002Spearphishing Link
92%
"in bypassing email filtering, tailoring phishing lures, and finding sensitive emails for wire fraud or data exfiltration activities. the eviltokens dashboard also provides customers with open redirect links to vulnerable domains, through which cloudflare workers from the “ office…"
T1566.002Spearphishing Link
92%
"impacting organizations of all types and sizes, from law firms to construction companies. in our initial analysis of this campaign, we ' ve seen no identical phishing lures or initial domains. while there was some thematic reuse, the variance in lures is unprecedented. each messa…"
T1111Multi-Factor Authentication Interception
85%
", the adversary must produce and then provide the code to the victim. by rendering the code directly on the page, likely by some code generation automation, the victim is immediately provided with the code and pretext for the attack. the page prompts the user with a “ continue to…"
T1566.002Spearphishing Link
84%
"the free tier. railway effectively hands adversaries a cloud - hosted token harvesting engine that is clean to microsoft ' s risk scoring, and whoever is behind this campaign is weaponizing it to full effect. what also makes this campaign unusual is not just the device code phish…"
T1111Multi-Factor Authentication Interception
83%
". these attempts originated from a narrow block of ip addresses belonging to railway. com, a paas cloud hosting provider most security teams have never had a reason to block. what followed was a multi - day investigation that revealed a technically sophisticated, operationally ma…"
T1566.002Spearphishing Link
75%
", the eviltoken team has spun up a full 24 / 7 support team and a support feedback channel, as seen in figure 8a. they also have customer feedback, as seen in figure 9a. figure 8a : eviltokens support team announcement figure 9a : positive community feedback for the eviltokens pl…"
T1566.002Spearphishing Link
72%
"threat actors abuse railway. com paas as microsoft 365 token attack infrastructure acknowledgments : special thanks to casey smith, tanner filip, matt kiely, and aaron deal for their contributions to this investigation and write - up. update : march 23, 2026 in partnership with o…"
T1556.006Multi-Factor Authentication
70%
", the adversary must produce and then provide the code to the victim. by rendering the code directly on the page, likely by some code generation automation, the victim is immediately provided with the code and pretext for the attack. the page prompts the user with a “ continue to…"
T1528Steal Application Access Token
69%
"the free tier. railway effectively hands adversaries a cloud - hosted token harvesting engine that is clean to microsoft ' s risk scoring, and whoever is behind this campaign is weaponizing it to full effect. what also makes this campaign unusual is not just the device code phish…"
T1528Steal Application Access Token
68%
". these attempts originated from a narrow block of ip addresses belonging to railway. com, a paas cloud hosting provider most security teams have never had a reason to block. what followed was a multi - day investigation that revealed a technically sophisticated, operationally ma…"
T1528Steal Application Access Token
62%
"valid oauth tokens — no password required, no mfa to defeat. the set of tokens includes an access token, which is good for immediate resource access, and a refresh token, which is valid for up to 90 days. this technique is documented in huntress ' own research on oauth device cod…"
T1566.003Spearphishing via Service
59%
"threat actors abuse railway. com paas as microsoft 365 token attack infrastructure acknowledgments : special thanks to casey smith, tanner filip, matt kiely, and aaron deal for their contributions to this investigation and write - up. update : march 23, 2026 in partnership with o…"
T1598.003Spearphishing Link
39%
"the victims were clicking through two or three layers to get to the final stage of the attack. examples of services seen used in the attacks : - wixsite [. ]. com - web hosting and creation platform for phishing lure site - www. taskade [. ] com - ai app building platform for phi…"
T1584.001Domains
39%
"the victims were clicking through two or three layers to get to the final stage of the attack. examples of services seen used in the attacks : - wixsite [. ]. com - web hosting and creation platform for phishing lure site - www. taskade [. ] com - ai app building platform for phi…"
T1111Multi-Factor Authentication Interception
36%
"the free tier. railway effectively hands adversaries a cloud - hosted token harvesting engine that is clean to microsoft ' s risk scoring, and whoever is behind this campaign is weaponizing it to full effect. what also makes this campaign unusual is not just the device code phish…"

Summary

Railway PaaS is being weaponized as a clean token replay engine in an active AiTM and device code phishing campaign impacting 268+ M365 organizations and 100+ MSPs.