Skip to content
Acknowledgments: Special thanks to Casey Smith, Tanner Filip, Matt Kiely, and Aaron Deal for their contributions to this investigation and write-up. UPDATE: March 23, 2026 In partnership with our friends at Flare.io and other contacts across the community, Huntress has attributed the Railway attack to the EvilTokens Phishing as a Service (PhaaS) platform. First advertised on the NOIRLEGACY GROUP t...
Threat Actors Abuse Railway.com PaaS as Microsoft 365 Token Attack Infrastructure | Huntaegis