One of our partners, Huntress, recently identified a widespread phishing campaign targeting Microsoft 365 users. These attacks are originating from Railway, a cloud provider, and using personalized AI-generated phishing messages to trick users into giving up their credentials.

How do I know if I am affected?

Review the IP ranges at the bottom of this article and confirm whether there are any successful authentication logs from them.

How can I address these risks?

If possible, we recommend putting place Conditional Access policies to block device code authentication, which is an outdated and insecure authentication method. In addition, we recommend creating Conditional Access policies to specifically block all authentication requests from the IP ranges below.

What IP ranges are associated with these targeted attacks?

The following IP ranges have been identified:

• 152.55.176.0/20

• 162.220.232.0/22

• 208.77.244.0/22

• 66.33.22.0/23

• 69.46.46.0/24

• 69.9.164.0/22

• 2607:99c0::/32