A large-scale cyberattack has exposed vulnerabilities in cloud security, with researchers at Huntress revealing an AI-driven phishing campaign that has affected hundreds of organisations globally.
The campaign targeted Microsoft cloud accounts using highly customised phishing lures, believed to be generated with artificial intelligence. According to Huntress, the attack originated from a relatively small group using around a dozen IP addresses but scaled rapidly in recent weeks.
Rich Mozeleski said, “Just the volume of attacks was staggering, and the effectiveness was unprecedented.” The attack pace increased sharply from March 3 after initially impacting a few dozen victims daily.
Unlike traditional phishing campaigns, the attackers used unique email content and domains for each attempt. Methods included email prompts, QR codes, and compromised file-sharing platforms, making detection more difficult.
The campaign exploited Microsoft’s authentication system on devices such as smart TVs, printers, and terminals. This allowed attackers to gain valid OAuth tokens for up to 90 days without requiring passwords or multi-factor authentication. While Huntress blocked further misuse within its customer base, the total number of victims could reach thousands, beyond the 344 cases identified in its report.
The attack affected sectors including construction, trade, legal services, nonprofits, real estate, manufacturing, finance, insurance, healthcare, and public safety organisations. To contain the threat, Huntress issued a conditional access policy update to 60,000 Microsoft cloud tenants, blocking emails linked to Railway-associated domains.
Researchers found that attackers used Railway to build phishing infrastructure. All attacks were traced to Railway.com IP systems. The company confirmed it was alerted on March 6 and took action by banning accounts and blocking domains.
Experts warn that AI is enabling smaller cybercriminal groups to execute advanced attacks. Prakash Ramamurthy said, “We are seeing crooks as the first movers of AI. They exploit personally identifiable information and model training with no qualms, and this campaign shows the speed at which AI amplifies their attacks.”
The incident highlights the need for stronger cybersecurity measures, including conditional access policies, multi-factor authentication, and AI-focused threat monitoring to tackle evolving phishing risks.
Also read: Viksit Workforce for a Viksit Bharat
Do Follow: The Mainstream LinkedIn | The Mainstream Facebook | The Mainstream Youtube | The Mainstream Twitter
About us:
The Mainstream is a premier platform delivering the latest updates and informed perspectives across the technology business and cyber landscape. Built on research-driven, thought leadership and original intellectual property, The Mainstream also curates summits & conferences that convene decision makers to explore how technology reshapes industries and leadership. With a growing presence in India and globally across the Middle East, Africa, ASEAN, the USA, the UK and Australia, The Mainstream carries a vision to bring the latest happenings and insights to 8.2 billion people and to place technology at the centre of conversation for leaders navigating the future.
