Riding the Rails: EvilTokens, Railway & the M365 Token Harvest

Casey Smith

Device code phishing at scale is now commoditized, and most defenders haven't caught up. This campaign compromised 340+ organizations and 100+ MSPs without a single stolen password or failed MFA prompt. If your detection strategy relies on spotting fake login pages or bad URLs, this talk will change how you think. We’ll discuss Eviltokens and Railway infrastructure, telegram channels, impact, mitigation strategies, criminal AI adoption for automation, infrastructure scaling, and more.