DEBULL Tooling Uses Microsoft Device-Code Flow in Microsoft 365 Phishing Campaigns

Security researchers say a phishing campaign observed from late June into early July 2026 abused Microsoft’s device-code authentication flow to target Microsoft 365 users. According to ZeroBEC, the op...

Security researchers say a phishing campaign observed from late June into early July 2026 abused Microsoft’s device-code authentication flow to target Microsoft 365 users. According to ZeroBEC, the operation relied on collaboration-themed lures to persuade recipients to begin a legitimate Microsoft login process, while attacker-controlled backend tooling handled the token generation and polling needed to capture access.

The approach does not depend on a fake password page. Instead, victims are guided into entering an attacker-provided device code on Microsoft’s real authentication site. Because the login flow is genuine, the technique can bypass multifactor authentication and give attackers usable session access without needing to steal a password.

Researchers said the activity shares notable similarities with a campaign Microsoft tracked in 2025 under the name Storm-2372, including the use of messages that appear to come from Teams or other collaboration services. ZeroBEC, however, believes the current operation is being run through a reusable layer of tooling it refers to as DEBULL.

How the attack works

In the incidents examined, phishing emails used payment and shared-folder themes to encourage users to click a link. That link sent victims to a compromised Croatian rental website that acted as a device-code orchestrator, setting up the Microsoft challenge flow. Some elements of the infrastructure included Turkish-language developer markers, though researchers said that was not enough to confirm who was behind the campaign.

ZeroBEC described DEBULL as likely being a phishing-as-a-service platform that can support Microsoft 365 and Entra post-compromise activity, potentially using GraphSpy or a related workflow. The service appears designed to let operators swap out lure pages without changing the underlying identity infrastructure.

Why the technique matters

  • It uses Microsoft’s own authentication flow rather than a fake login page.
  • It can defeat MFA by capturing authorized session tokens.
  • It may lead to account takeover, BEC, data theft, and lateral movement.
  • It is increasingly being packaged into reusable criminal toolkits.

The report follows other industry findings showing that device-code phishing has become a common feature in modern phishing-as-a-service offerings. Cisco Talos recently identified another panel, ARToken, that exposes numerous endpoints for device-code phishing, token persistence, email access, SharePoint theft, and BEC operations. The broader trend suggests attackers are treating identity abuse as an operational service, not just a one-off phishing tactic.