AI Phishing Campaign Hits Hundreds via Railway PaaS

An AI phishing campaign exploiting a legitimate cloud hosting platform has compromised more than 344 organisations, with researchers warning the true victim count could reach into the thousands. The attacks target Microsoft 365 accounts and are evading standard email defences by using AI-generated lures that are unique in every instance.

The campaign centres on Railway, a Platform-as-a-Service provider built to help non-developers deploy web tools and applications. Attackers have weaponised it to host credential-harvesting infrastructure, spinning up phishing pages that funnel victims through a rarely scrutinised part of Microsoft's authentication system.

How the Attack Bypasses MFA

The method at the core of this campaign is known as device code phishing. Microsoft's authentication flow includes a path designed for devices without keyboards, such as smart TVs, printers, and shared terminals. When exploited, this flow allows an attacker to capture a valid OAuth token for the victim's Microsoft account without ever needing a password or passing a multifactor authentication check.

Those tokens remain active for up to 90 days. Once in hand, attackers have persistent access to the victim's Microsoft 365 environment, including email, files, and connected services, with no further credentials required.

The phishing lures delivered in this campaign spanned multiple formats. Some mimicked traditional email notifications, others used QR codes, and some co-opted file-sharing sites to add legitimacy. No two emails or domains were identical, a pattern that strongly suggests AI tools were used to generate them at scale.

A Sudden Surge in Tempo

The campaign was active in early March 2026, compromising a few dozen organisations per day. On March 3, the pace sharply accelerated. By mid-March, researchers were observing more than 50 new compromises per day tied to Railway-hosted domains, with the volume showing no sign of slowing.

Researchers attributed the campaign to a relatively small threat actor operating from approximately a dozen IP addresses. The sophistication on display, however, far outpaced what that profile would typically suggest. The AI phishing campaign generated bespoke lures at a speed and volume that overwhelmed conventional filtering tools, with researchers describing the efficacy as like "Pandora's Box had opened."

Because every email and domain differed, commercial email security platforms struggled to identify patterns. Attackers also used compromised domains rather than newly registered ones, further reducing the likelihood of flagging by reputation-based systems.

Who Was Targeted

The 344 confirmed victims represent only the organisations identified through one security vendor's customer base. Researchers believe that figure is a small fraction of the global total.

The affected sectors are broad. Construction and trade companies, law firms, nonprofits, real estate businesses, manufacturers, finance and insurance firms, healthcare providers, and government and public safety organisations all appear among the confirmed victims. No single industry was singled out. The campaign appears to have prioritised volume over vertical targeting.

Railway's Response

Railway became aware of the campaign after being contacted by researchers in early March. The company confirmed it had banned the associated accounts and blocked the relevant domains after being alerted to phishing traffic originating from specific IP addresses.

The platform acknowledged that its fraud detection struggles when attackers deliberately avoid the correlation signals it relies on, such as repeated payment methods, shared code sources, or overlapping infrastructure. When a campaign is designed to evade those patterns from the outset, it can gain more reach than the platform would like before detection kicks in.

Railway also pointed to a tension in abuse enforcement: tuning heuristics too aggressively can generate false positives and disrupt legitimate users. The company cited a February 2026 incident in which a change to its automated enforcement system caused a customer outage as an example of that balance playing out.

Researchers argued that free-tier access controls need strengthening, noting that platforms with trial offerings in adjacent spaces have implemented oversight mechanisms that prevent users from abusing resources at scale from the moment they sign up.

AI Phishing Campaign Signals a Wider Shift

In response to the campaign, researchers pushed a conditional access policy update to 60,000 Microsoft cloud tenants, blocking emails arriving from Railway domains. The move was described internally as something that had never been done before, underscoring how unusual the campaign's scale and pace were.

The broader concern this incident raises goes beyond the specifics of Railway or Microsoft 365. This AI phishing campaign is being cited as evidence of a structural shift in the threat landscape. Generative AI removes the barriers that previously kept lower-tier cybercriminals from running sophisticated, high-volume attacks. Creating unique lures for hundreds of targets at once, avoiding signature-based detection, and maintaining that pace over weeks is no longer the exclusive domain of state-sponsored groups or well-funded criminal organisations.

Defenders inside organisations often face internal restrictions on how AI tools can be used for security operations, whether due to data privacy concerns, compliance requirements, or procurement timelines. Attackers face none of those constraints. They are moving faster, and the gap between what criminals can deploy and what defenders can respond with in realtime is getting harder to close.

The Railway campaign is a clear illustration of where that gap leads.