DEBULL Tooling Exploits Microsoft Device-Code Flow to Compromise M365 Accounts
A recent surge in device code phishing campaigns targeting Microsoft 365 accounts has raised alarms within the cybersecurity community. Between late June and early July 2026, a sophisticated attack leveraging collaboration-themed lures was identified, revealing a troubling evolution in phishing tactics. Findings from ZeroBEC indicate that these campaigns have successfully manipulated victims into unwittingly granting access to their accounts.
The Mechanics of Device Code Phishing
Unlike traditional phishing attacks that rely on fake login pages, device code phishing exploits a legitimate OAuth 2.0 authentication mechanism. This technique, specifically the Device Authorization Grant flow, allows attackers to bypass multi-factor authentication (MFA) and gain persistent access to user accounts without the need to steal passwords.
In this recent campaign, attackers utilized a malicious lure that directed users to the legitimate Microsoft device login interface. According to ZeroBEC, the backend of this operation involved generating and polling Microsoft Authentication Broker device-code tokens, effectively tricking users into entering their credentials and a device code provided by the attackers.
Historical Context and Evolution
This campaign bears strong similarities to a previous operation documented by Microsoft in February 2025, known as Storm-2372. Both campaigns employed messaging and Teams-style lures to deceive users into entering their credentials along with an attacker-provided device code. The threat actors behind these operations are believed to be utilizing a reusable tooling layer referred to as DEBULL, which streamlines the phishing process and enhances the effectiveness of their attacks.
The DEBULL platform allows operators to customize phishing lures by editing HTML, CSS, and JavaScript directly, making it easier to deploy various attack vectors without altering the underlying infrastructure. This adaptability signifies a shift towards more sophisticated phishing-as-a-service (PhaaS) offerings, where tools can be purchased or developed by threat actors to facilitate their campaigns.
Implications for Cybersecurity
The implications of these device code phishing attacks are significant. Successful breaches can lead to full account takeovers, theft of sensitive information, and various forms of fraud, including business email compromise (BEC). The ability of attackers to bypass traditional security measures like MFA poses a serious threat to organizations relying on these protections.
As noted by Huntress, device code phishing does not rely on hacking methods; instead, it uses a legitimate authentication flow to gain access. This method allows attackers to sidestep conventional security protocols, making it crucial for organizations to reassess their security measures and educate employees about these evolving threats.
The Role of Phishing-as-a-Service
The rise of PhaaS platforms has further complicated the threat landscape. Recent analyses indicate that tools like EvilTokens and Tycoon have adopted device code phishing techniques, allowing attackers to automate and scale their operations. These platforms provide a comprehensive toolkit for post-compromise activities, enabling operators to maintain access, exfiltrate data, and conduct reconnaissance via Microsoft Graph API.
Cisco Talos has identified a new PhaaS operator panel named ARToken, which shares infrastructure and operational patterns with EvilTokens. This panel exposes over 80 API endpoints for various malicious activities, including device code phishing and email access, all managed through a user-friendly dashboard.
Conclusion
The emergence of DEBULL and similar platforms illustrates a concerning trend in the sophistication of phishing attacks. As these tactics evolve, organizations must remain vigilant and proactive in their cybersecurity strategies. Continuous education and awareness are essential to combat the growing threat of device code phishing and ensure the integrity of sensitive information.
For further insights into the evolving landscape of device code phishing, refer to the original reporting source: thehackernews.com.
Keep reading for the latest cybersecurity developments, threat intelligence and breaking updates from across the Middle East.


