Skip to content
DEBULL Tooling Abuses Microsoft Device-Code Flow to Target M365 Accounts

DEBULL Tooling Abuses Microsoft Device-Code Flow to Target M365 Accounts

A Microsoft 365 device code phishing campaign has been observed leveraging collaboration-themed lures to take control of victim accounts between the last week of June 2026 and into early July, per findings from ZeroBEC.

“The campaign did not depend on a fake Microsoft password page. It used a malicious collaboration-style lure to push users into the legitimate Microsoft device login experience, while a backend broker generated and polled Microsoft Authentication Broker device-code tokens,” the email security company said in a report shared with The Hacker News.

The activity is assessed to share “strong” overlaps with a campaign documented by Microsoft in February 2025 under the moniker Storm-2372, including the use of messaging or Teams-style lures to trick unsuspecting victims into entering an attacker-provided device code, along with their credentials, effectively allowing the threat actor to recover the token and hijack their account.

Despite these similarities, it’s assessed that the threat actors are employing Storm-2372-style tradecraft through what has been described as a reusable tooling layer called DEBULL.

Device code phishing refers to an identity theft technique where attackers exploit a legitimate OAuth 2.0 authentication mechanism, specifically the Device Authorization Grant flow, to bypass multi-factor authentication (MFA) and gain persistent account access without having to steal user passwords.

Unlike traditional phishing attacks that require the operators to set up bogus adversary-in-the-middle (AitM) login pages, device code phishing relies on manipulating a user into completing a real, trusted authentication prompt.

Device code authentication, per Microsoft, is a legitimate OAuth flow designed for devices with limited interfaces, such as smart TVs or printers, that cannot support a traditional interactive login. In this scenario, a user is presented with a short code on the device they are trying to sign in from and is prompted to input that code into a web browser on a separate device to complete the authentication.

Threat actors have abused this separation to insert themselves and initiate the authentication flow. Then, they share that code with the target through a phishing lure. Thus, when the user enters the code, they authorize the threat actor’s session without their knowledge, granting them access to the account.

“Device code phishing doesn’t hack its way in,” Huntress notes. “It uses a legitimate authentication flow to walk right through the front door, with no password required, MFA bypassed, and session tokens handed straight to the attacker.”

Successful device code phishing attacks can facilitate full account takeover, theft of valuable information, fraud, business email compromise (BEC), lateral movement within a compromised environment, and even disruptive attacks like ransomware.

“In most current device code phishing attacks, the code is generated dynamically when a user clicks on the initial phishing link. This seemingly small change allows the user to view the email at any time to kickstart the attack chain,” Proofpoint said in an analysis published in May 2026. “These new implementations of the device code attack chains can be purchased via phishing-as-a-service (PhaaS) offerings, like EvilTokens or Tycoon, or created and owned by the threat actor conducting the campaigns. “

These campaigns are also known to leverage account takeover (ATO) jumping, a technique where an attacker compromises an initial email account and then abuses it to send phishing links to a broader set of contacts in the form of a button, hyperlinked text, embedded within a document, or a QR code. The links, when visited by the recipient, initiate an attack sequence that employs the Microsoft device authorization process.

ZeroBEC said the campaign it observed involves using payment and shared-folder pretexts in phishing emails to deceive victims into clicking on a URL that takes them to a legitimate-but-compromised Croatian rental website, which, in turn, acts as a device code orchestrator used to initiate the Microsoft device code challenge chain.

The workflow is characterized by the presence of Turkish-language developer markers, although the clues aren’t enough to definitively attribute the campaign’s provenance. Further analysis of the infrastructure has revealed that DEBULL is likely a phishing-as-a-service (PhaaS) platform that uses GraphSpy or a GraphSpy-derived workflow for Microsoft 365 and Entra post-exploitation.

“Operators can define a page name and slug, edit HTML, CSS, and JavaScript directly, then choose how the lure is published,” ZeroBEC said. “The embedded templates included a Microsoft 365 device-code authentication page, an OAuth callback page, and a modern landing page. The Microsoft 365 template is especially important because it exposes the exact building block used by the campaign: a user-code display, copy-code behavior, and a link to Microsoft device login.”

“The more useful conclusion is that Storm-2372-style identity tradecraft is now being packaged into reusable broker infrastructure. DEBULL provides the campaign-facing and operator-facing layer. GraphSpy or GraphSpy-derived code likely handles the post-authentication layer. The lure can be changed without changing the backend identity stack.”

The disclosure comes as Cisco Talos said it identified a fully-featured PhaaS operator panel branded ARToken that shares infrastructure, API contracts, and operational patterns with the EvilTokens device code phishing platform and is made available to affiliates.

“The ARToken panel exposes 80+ API endpoints for device code phishing, Primary Refresh Token (PRT) persistence, email access, business email compromise (BEC) operations, and SharePoint exfiltration – all accessible to operators through a React-based dashboard,” Talos said.

EvilTokens, like DEBULL, enable attackers to weaponise harvested tokens to exfiltrate emails, files, and other sensitive data from compromised Microsoft accounts, carry out reconnaissance via Microsoft Graph API, and establish persistence access. In addition, it incorporates artificial intelligence (AI)-powered features to automate and scale BEC workflows, such as sifting through thousands of harvested emails, identifying finance-related email threads, and drafting BEC emails.

ARToken functions as a complete post-compromise toolkit that allows operators to leverage the captured access token recovered following successful device code authentication to maintain access, perform email operations, access OneDrive and SharePoint, and browse victim Microsoft 365 sessions outside the panel using a dedicated tool known as ARTBrowser.

“These features indicate the platform is more mature than a simple device code phishing kit – it is a complete BEC operations environment,” Talos researcher Michael Kelley said.

The surge in device code phishing attacks has also led to other PhaaS kits like Tycoon 2FA to adopt the technique to hijack Microsoft 365 accounts in its rebound following a law enforcement operation, signaling a broader shift within the threat landscape.

“Tycoon 2FA operators have repurposed their existing PhaaS kit as the delivery framework for OAuth device code grant phishing,” eSentire noted in May 2026. “The attack begins when a victim clicks a Trustifi click-tracking URL in a lure email and culminates in the victim unknowingly granting OAuth tokens to an attacker-controlled device through Microsoft’s legitimate device-login flow at microsoft.com/devicelogin.”

Source link