Riding the Rails: Threat Actors Abuse Railway.com PaaS as Microsoft 365 Token Attack Infrastructure
Threat actors are leveraging the EvilTokens Phishing-as-a-Service platform hosted on Railway.com to conduct large-scale device code phishing campaigns against Microsoft 365 users. By abusing legitimate cloud infrastructure and multi-hop redirect chains, attackers successfully bypass email filtering and MFA to harvest persistent OAuth tokens.
Authors: Casey Smith, Tanner Filip, Matt Kiely, Aaron Deal, Huntress
Source:
Huntress
- domaincas5-0-urlprotect[.]trendmicro[.]comLegitimate Trend Micro URL Protection abused as a first-hop wrapper
- domainsecure-web[.]cisco[.]comLegitimate Cisco Secure Email URL rewriter abused as a first-hop wrapper
- domainurl[.]us[.]m[.]mimecastprotect[.]comLegitimate Mimecast URL Protection abused to wrap an intermediate redirect
- domainworkers[.]devCloudflare serverless platform abused to host ephemeral device code phishing pages
- user_agentBAV2ROPCProgrammatic user agent indicating automated refresh token exchange, not human interaction
- user_agentiPhone OS 18_7 / Safari Version/26.3Synthetic mobile user agent used by the attacker's token replay engine
Key Takeaways
- Threat actors are using the EvilTokens Phishing-as-a-Service (PhaaS) platform to conduct device code phishing at scale.
- The campaign abuses Railway.com PaaS infrastructure to host token harvesting engines, bypassing Microsoft's risk scoring due to clean IP reputation.
- Attackers utilize multi-hop redirect chains, including abusing legitimate email security vendor URL rewriters (Cisco, Trend Micro, Mimecast) and Cloudflare workers.
- The campaign targets Microsoft 365 identities across various sectors, heavily favoring construction and trades with RFP/bid lures.
- Stolen OAuth tokens bypass traditional MFA, granting attackers persistent access via refresh tokens.
Affected Systems
- Microsoft 365
- Microsoft Entra ID
- Exchange Online
- SharePoint
Attack Chain
The attack begins with highly tailored phishing emails, often disguised as construction bids or secure documents, utilizing legitimate email security vendor URL rewriters to bypass initial filters. Victims click through multi-hop redirect chains involving compromised websites and land on a Cloudflare workers.dev page. This page displays a device code and prompts the user to authenticate at the legitimate Microsoft device login endpoint. Once the victim enters the code and authenticates (including MFA), the EvilTokens backend hosted on Railway.com captures the resulting OAuth access and refresh tokens, granting the attacker persistent, MFA-bypassed access to the victim's Microsoft 365 environment.
Detection Availability
- YARA Rules: No
- Sigma Rules: No
- Snort/Suricata Rules: No
- KQL Queries: Yes
- Splunk SPL Queries: No
- EQL Queries: No
- Other Detection Logic: No
- Platforms: Microsoft Sentinel
The article provides Microsoft Sentinel KQL queries to hunt for successful interactive logins and programmatic BAV2ROPC token access originating from Railway.com IP space.
Detection Engineering Assessment
EDR Visibility: Low — The attack primarily occurs at the identity and cloud infrastructure layer (Entra ID, OAuth flows), not on the endpoint itself. Network Visibility: Medium — Network logs might show traffic to device login endpoints or redirect chains, but the core token exchange happens between Microsoft and the attacker's cloud infrastructure. Detection Difficulty: Moderate — Requires monitoring identity telemetry for specific user agents (BAV2ROPC, synthetic iOS) and correlating successful device code authentications with specific cloud provider ASNs (Railway).
Required Log Sources
- Azure AD Sign-in Logs
- Azure AD Non-Interactive User Sign-in Logs
Hunting Hypotheses
| Hypothesis | Telemetry | ATT&CK Stage | FP Risk |
|---|---|---|---|
| Look for successful device code authentications (ResultType == 0) originating from Railway.com IP ranges (162.220.232.0/22, 162.220.234.0/22). | Azure AD Sign-in Logs | Credential Access | Low |
| Search for non-interactive sign-ins using the 'BAV2ROPC' user agent from unexpected cloud hosting provider IPs, indicating automated token refresh. | Azure AD Non-Interactive User Sign-in Logs | Persistence | Low |
| Identify authentications using synthetic or impossible user agents, such as 'iPhone OS 18_7' paired with 'Version/26.x'. | Azure AD Sign-in Logs | Credential Access | Low |
Control Gaps
- MFA Bypass via Device Code Flow
- Email Security URL Rewriter Abuse
- Lack of Continuous Access Evaluation (CAE)
Key Behavioral Indicators
- cmsi:cmsi authentication from cloud IPs
- BAV2ROPC user agent
- Synthetic iOS user agents (Version/26.x)
False Positive Assessment
- Low. The specific combination of device code flows, programmatic user agents like BAV2ROPC, and Railway.com IP space is highly indicative of this specific campaign, as legitimate enterprise use of Railway for device code flows is extremely rare.
Recommendations
Immediate Mitigation
- Hunt for and block successful logins from Railway.com IP ranges (162.220.232.0/22, 162.220.234.0/22).
- Revoke all refresh tokens for affected users using Revoke-AzureADUserAllRefreshTokens.
- Block Railway CIDR blocks via Conditional Access Named Locations if no legitimate applications are hosted there.
Infrastructure Hardening
- Block Device Code Authentication Flows in Microsoft 365 using Conditional Access for users who do not require it.
- Require a compliant device for Exchange Online and SharePoint access.
- Enable Continuous Access Evaluation (CAE) to reduce token revocation latency.
User Protection
- Implement strict conditional access policies restricting logins from unmanaged devices.
Security Awareness
- Train end users specifically on device code phishing lures, emphasizing that entering codes into legitimate Microsoft endpoints can still be malicious.
MITRE ATT&CK Mapping
- T1566.002 - Phishing: Spearphishing Link
- T1528 - Steal Application Access Token
- T1550.001 - Use Alternate Authentication Material: Application Access Token
- T1584.004 - Compromise Infrastructure: Server
- T1583.001 - Acquire Infrastructure: Domains
Additional IOCs
- Ips:
162[.]220[.]232[.]99- Source of SAML authentication abuse162[.]220[.]232[.]235- Source of SAML and OAuth token activity162[.]220[.]232[.]223- Persistent OAuth activity source162[.]220[.]232[.]55- Persistent OAuth activity source162[.]220[.]234[.]161- Persistent OAuth activity source162[.]220[.]234[.]34- Persistent OAuth activity source162[.]220[.]232[.]0/22- Railway.com CIDR block associated with attack infrastructure162[.]220[.]234[.]0/22- Railway.com CIDR block associated with attack infrastructure152[.]55[.]176[.]0/20- CIDR block recommended for perimeter blocking208[.]77[.]244[.]0/22- CIDR block recommended for perimeter blocking66[.]33[.]22[.]0/23- CIDR block recommended for perimeter blocking69[.]46[.]46[.]0/24- CIDR block recommended for perimeter blocking69[.]9[.]164[.]0/22- CIDR block recommended for perimeter blocking2607:99c0::/32- IPv6 CIDR block recommended for perimeter blocking
- Domains:
customervoice[.]microsoft[.]com- Legitimate Microsoft Dynamics 365 feature abused for phishing lureswixsite[.]com- Web hosting platform abused for phishing lure siteswww[.]taskade[.]com- AI app building platform abused for phishing lure sitesapp[.]usewhale[.]io- Document creation platform abused for phishing lure sitesr[.]brandreward[.]com- Link tracking/redirection service abused to hide true link destination2nco[.]com- URL shortening service abused to hide true link destinationtrack[.]tec35[.]com- Link tracking/redirection service abused to hide true link destinationwww[.]hits2babi[.]com- Link tracking/redirection service abused to hide true link destinationappspot[.]com- Google App Engine abused for phishing lure sitesamplifyapp[.]com- AWS Amplify abused for phishing lure sitesvercel[.]app- Vercel abused for phishing lure sitesamazonaws[.]com- AWS S3 abused for phishing lure sites
- Other:
cmsi:cmsi- Indicator of successful device code authentication from Railway AS IP spaceoauth2:token + BAV2ROPC- Automated refresh token exchange from Railway AS