Hundreds of businesses have had their Microsoft cloud accounts compromised by a sophisticated phishing campaign that researchers believe is leveraging artificial intelligence tools and the cloud-hosting service Railway. The campaign, detected by Huntress, has rapidly scaled in recent weeks, demonstrating a new level of efficiency and evasion in cyberattacks.
Rich Mozeleski, product manager for Huntress’ identity team, stated that the campaign, initially linked to a small number of IP addresses, has targeted a significant number of businesses. The sophistication and variety of the phishing lures, ranging from traditional emails to QR codes and compromised file-sharing sites, suggest the attackers may be using AI to generate unique and untraceable attack vectors.
AI-Powered Phishing Campaign Exploits Cloud Infrastructure
The ongoing phishing campaign utilizes a tactic that bypasses standard security measures by exploiting Microsoft’s authentication flow used by devices like smart TVs and printers. This method allows attackers to obtain valid OAuth tokens for compromised accounts, granting them access for up to 90 days without needing passwords or multi-factor authentication. This is particularly concerning for businesses that rely on cloud services for their daily operations.
Huntress has reported that hundreds of its customers have fallen victim to these phishing scams, though the security firm claims to have mitigated post-compromise activity in all observed cases. However, Huntress estimates that their client base represents a fraction of the total victims, with the potential number of affected organizations possibly in the thousands. The compromised entities span a broad spectrum of industries, including construction, legal, non-profit, real estate, manufacturing, finance, healthcare, and government sectors.
Weaponizing Platform as a Service for Cyberattacks
Researchers suggest that the attackers are exploiting Railway’s Platform as a Service, a tool designed for creating websites and applications, to quickly establish infrastructure for credential harvesting. By utilizing compromised domains and generating custom phishing messages, the campaign effectively evades typical email filtering systems. While it remains unclear if AI was used to generate the specific content or if Railway’s AI tools were employed, all observed attacks originate from Railway’s IP infrastructure.
In response to inquiries, Railway acknowledged the incident and confirmed to CyberScoop that they took action upon being notified by Huntress on March 6. The company stated that the associated accounts and domains were promptly banned and blocked. However, Railway noted that their fraud detection systems, which rely on correlating various indicators, were challenged by the campaign’s ability to avoid these signals.
The speed and scale of this AI-driven phishing campaign highlight a growing concern among cybersecurity experts: that generative AI tools are democratizing advanced cyberattack capabilities. Traditionally, such sophisticated operations were the domain of highly organized criminal groups or state-sponsored actors. Now, even less experienced cybercriminals may gain access to potent tools that can automate and personalize attacks, potentially overwhelming defenses.
The incident also raises questions about the balance between Platform as a Service providers’ efforts to prevent abuse and the ease of access for legitimate users. Mozeleski suggested that improved vetting and validation processes for free service tiers could help mitigate such exploitation. He drew parallels to services like MailChimp and HubSpot, which implement stricter controls to prevent mass spamming during trial periods.
The development of AI tools for cybersecurity defense is ongoing, but this incident suggests that malicious actors are emerging as rapid adopters of AI technologies. Their willingness to experiment without the same ethical or regulatory constraints as legitimate organizations could give them a significant advantage. The cybersecurity community will be closely watching how platforms like Railway implement further safeguards and how businesses adapt their defenses in response to these evolving threats.