AI-Driven Phishing Campaign Exploits Railway to Breach Microsoft Cloud Accounts at Scale  Security experts at Huntress report a fast-changing phishing operation using AI tools and cloud systems to breach Microsoft accounts in hundreds of companies. This activity ties back to improper use of Railway, a service that helps people launch apps and websites swiftly. Running on automated workflows, the attack adapts quickly, slipping past common defenses. Instead of relying on old methods, it shifts tactics constantly, making detection harder. Through compromised credentials, access spreads quietly within corporate networks. Investigators found backend processes hosted remotely, fueling repeated login attempts.  Unlike typical scams, this one uses synthetic voices and generated text to mimic real communication. Some messages appear personalized, increasing their chances of success. Early warnings came from irregular traffic patterns tied to authentication requests. Organizations affected span multiple industries without geographic concentration. Researchers stress monitoring unusual API behavior as a sign of intrusion. Detection now depends more on behavioral anomalies than known threat signatures.  Starting in early 2026, the attack started quietly before rapidly growing in intensity. Come March, signs showed a sharp rise - dozens of groups breached each day. Though linked to an obscure group using few internet addresses, its impact spread fast. Hundreds of confirmed victims fell within weeks, likely many more worldwide.   Something different here? The integration of AI to craft phishing bait. Typical assaults lean on reused message formats; by contrast, this one generates unique, tailored texts - some with QR symbols, others embedding shared-file URLs or fake alerts mimicking real platforms. Because each message looks unlike the last, standard filters struggle. Pattern-based defenses fail when there is no clear pattern to catch.  Not every login attempt follows the usual path. Some intruders step in through a backdoor built for gadgets like printers or streaming boxes. A fake prompt appears, nudging users to approve what seems like a routine connection. Once granted, digital keys are handed out - no password cracking needed. With those credentials, unauthorized entry lasts nearly three months. Security checks such as two-step verification simply do not apply.   Across sectors like finance, healthcare, and government, effects are widespread. Though Huntress says it stopped further attacks for some customers, the company notes its data probably captures just a small portion of those impacted. Huntress moved quickly, rolling out urgent fixes to about 60,000 Microsoft cloud customers after spotting risky traffic linked to Railway domains. Although unintended, misuse of the platform did occur - Railway admitted this, then paused harmful user profiles while cutting off connected web addresses. Security adjustments limited entry points before further harm could unfold.  The way bad actors craft digital traps now involves artificial intelligence, running through vast online computing resources. With such technology at hand, launching widespread fake message attacks happens faster than before. Experts observing these shifts note a troubling trend: simpler methods achieving stronger results. What once required skill can now be managed by nearly anyone willing to try. Speed grows. Scale expands. Risk rises accordingly.

AI-Driven Phishing Campaign Exploits Railway to Breach Microsoft Cloud Accounts at Scale #AIDrivenCyberAttacks #AIphishingcampaign #CloudAccounts

AI-Driven Phishing Campaign Exploits Cloud Platform to Breach Microsoft Accounts at Scale   A large-scale phishing operation linked to the AI-enabled cloud hosting platform Railway has enabled cybercriminals to infiltrate Microsoft cloud accounts belonging to hundreds of organizations, according to findings by Huntress. Rich Mozeleski, a product manager on Huntress’ identity team, revealed that the activity appears to be associated with a relatively small threat actor operating from roughly a dozen IP addresses. Despite its size, the campaign has successfully compromised hundreds of targets in recent weeks. The attack initially impacted a few dozen organizations daily in early March, but activity surged sharply beginning March 3. Mozeleski noted that the campaign stood out due to its sophistication and variability—no two phishing emails or domains were identical. This led researchers to suspect the use of artificial intelligence tools to generate customized phishing content. The lures included a mix of conventional email tactics, QR codes, and hijacked file-sharing platforms. “Just the amount of it was like Pandora’s Box had opened, and the efficacy was just through the roof,” Mozeleski said. The attackers leveraged a weakness in Microsoft’s device authentication process—commonly used by smart TVs, printers, and terminals—to obtain valid OAuth tokens. These tokens can grant access to accounts for up to 90 days without requiring passwords or multi-factor authentication. While Huntress reported that hundreds of its customers were deceived by the phishing attempts, the firm stated it successfully blocked any follow-on malicious activity. However, researchers believe these cases likely represent only a fraction of the total victims, which could reach into the thousands. Organizations affected span a wide range of industries, including construction, legal services, nonprofits, real estate, manufacturing, finance, healthcare, and public sector entities. Huntress identified at least 344 impacted organizations in a detailed report. To mitigate the threat, Huntress deployed a conditional access policy update across 60,000 Microsoft cloud tenants, specifically targeting emails originating from Railway-related domains. Mozeleski described this step as “not anything we’ve ever done before.” Weaponizing Cloud Infrastructure with AIInvestigators believe the attackers abused Railway’s Platform-as-a-Service offering—designed to help users build applications without coding expertise—to rapidly create phishing infrastructure for credential harvesting. By using compromised domains and generating highly tailored phishing messages, the attackers were able to evade traditional email security filters. All observed attacks were traced back to Railway’s IP infrastructure, though it remains unclear whether Railway’s native AI tools or external solutions were used to craft the phishing content. Responding to the incident, Railway solutions engineer Angelo Saraceno confirmed that the company took action after being alerted by Huntress on March 6. “The associated accounts were banned and the domains were blocked,” Saraceno said. “Our heuristics are built to catch correlations: repeated credit cards, shared code sources, overlapping infrastructure,” he wrote in an email. “When a campaign avoids those signals, it gets further than we’d like.” Saraceno emphasized that fraud detection requires balancing security enforcement with minimizing false positives, referencing a prior February incident where system tuning caused customer disruptions. Despite mitigation efforts, Mozeleski stated that Huntress continued to detect over 50 daily compromises tied to Railway-hosted phishing domains. He suggested that stronger vetting processes—especially for free-tier users—could help prevent such abuse, drawing comparisons to platforms like Mailchimp and HubSpot that enforce stricter usage controls. “Do not allow anybody to come in, start a trial, spin up resources, and start using your infrastructure” for cyberattacks, he said. A notable aspect of this campaign is the use of AI-powered infrastructure typically associated with advanced or state-backed threat actors, now being deployed for relatively routine phishing schemes. This shift highlights growing concerns among cybersecurity experts about the democratization of powerful attack tools. Experts warn that lower-tier cybercriminals, often referred to as “script kiddies,” may benefit significantly from generative AI technologies. John Hultquist recently noted that such tools are likely to empower smaller cybercriminal groups even more than state-sponsored actors. Meanwhile, promotional material from Railway highlights features such as “vertical auto-scale out of the box” and the ease of deploying self-hosted tools—capabilities that may inadvertently aid malicious use. “We are seeing crooks as the first movers of AI,” said Prakash Ramamurthy, chief product officer at Huntress. “They don’t have any qualms about PII, they don’t have any qualms about model training … and this incident, just in the sheer pace at which it has evolved, is kind of a testament to that.”

AI-Driven Phishing Campaign Exploits Cloud Platform to Breach Microsoft Accounts at Scale #AIphishingcampaign #CyberFraud #Huntresscybersecurity