340+ Organizations Hit by M365 Phishing That Bypasses MFA Without Touching Your Password

John Z Black Mar 26, 2026 Threat Intelligence #phishing #microsoft-365 #oauth #mfa-bypass #enterprise-security

This one’s still active. Since February 19, attackers have compromised 340+ organizations using a Microsoft 365 phishing technique that doesn’t need your password, bypasses MFA, and leaves nothing behind on the victim’s machine.

The trick is device code flow, a legitimate OAuth feature meant for TVs and printers. Attackers send a message that looks like a Microsoft prompt, the target enters a code on the real Microsoft site, and the attacker walks away with a valid OAuth token. That token doesn’t expire when you change your password. MFA already fired during login, so it doesn’t help you either.

The phishing links run through Railway.com, a real developer platform. Reputation filters let it through. Most security tools aren’t watching for this.

On a single day around March 23, 113 attempted hits were blocked. The volume is going up, not down.

What actually matters:

Disable device code flow for users who don’t need it. Most enterprise users don’t.
Monitor OAuth consent events in your SIEM.
If accounts are compromised, revoking sessions matters more than resetting passwords.

Read the full breakdown, including what conditional access changes to make tonight.