A phishing campaign exploiting Microsoft 365’s OAuth device authorisation flow has compromised accounts at more than 340 organisations across the US, Canada, Australia, New Zealand, and Germany. Non-profits are among the most heavily targeted sectors, alongside real estate, financial services, and healthcare, as reported by The Hacker News. Security firm Huntress first spotted the activity on 19 February 2026 and has linked it to a new phishing-as-a-service platform called EvilTokens.

The attack is clever. Victims receive emails containing links wrapped inside legitimate security vendor redirect services — think Cisco, Trend Micro, and Mimecast — so they sail past spam filters. The link sends users to a real Microsoft sign-in page and asks them to enter a device code, which then hands the attacker a persistent access token. That token bypasses multi-factor authentication entirely. For non-profits running lean IT teams, this is particularly dangerous because the phishing emails look legitimate and the sign-in page actually is legitimate.

If your organisation uses Microsoft 365, check your sign-in logs for any authentication events originating from Railway.com infrastructure — that’s where the attackers are hosting their credential harvesting. Revoke refresh tokens for any accounts that look suspicious, and remind your team that no legitimate service will ever ask them to enter a device code they didn’t request. If you’re unsure how to audit your M365 tenant for signs of compromise, get your IT provider involved now rather than later.

All IT Services provides cybersecurity monitoring and M365 security hardening for Australian non-profits. If you’d like a review of your current setup, get in touch.