Threat actors are leveraging the EvilTokens Phishing-as-a-Service platform hosted on Railway.com to conduct large-scale device code phishing campaigns against Microsoft 365 users. By abusing legitimate cloud infrastructure and multi-hop redirect chains, attackers successfully bypass email filtering and MFA to harvest persistent OAuth tokens.