HackMyIP
← Back to News
2026-07-07 The Hacker News

DEBULL Tooling Exploits Microsoft Device-Code Flow in M365 Phishing

PhishingAuthenticationThreat Intel

A new Microsoft 365 device-code phishing campaign observed between late June and early July 2026 is leveraging a reusable attack framework dubbed DEBULL to hijack enterprise accounts without triggering traditional password-based defenses. According to ZeroBEC, attackers are using collaboration-themed lures—styled around messaging and Microsoft Teams invitations—to push victims into the legitimate Microsoft device login experience. Behind the scenes, a broker component generates and polls Microsoft Authentication Broker device-code tokens, allowing operators to capture authenticated sessions in real time. The tradecraft shows strong overlap with the Storm-2372 activity Microsoft documented in February 2025, but DEBULL appears to be a modular tooling layer that lets multiple threat actors reuse the same playbook at scale.

The attack exploits the OAuth 2.0 Device Authorization Grant flow, a legitimate Microsoft mechanism designed for input-constrained devices such as smart TVs, IoT devices, and printers. Instead of building a fake adversary-in-the-middle login page, the attacker initiates a real authentication request on their own infrastructure, harvests the resulting device code, and delivers it to the victim through a phishing message. When the user enters the code at microsoft.com/devicelogin and completes the prompt—often alongside their credentials for added legitimacy—the session token is handed directly to the operator's backend. As Huntress notes, "Device code phishing doesn't hack its way in; it uses a legitimate authentication flow to walk right through the front door, with no password required, MFA bypassed, and session tokens handed straight to the attacker."

The consequences extend well beyond a single compromised inbox. Successful takeovers enable full account control, sensitive data exfiltration, business email compromise, lateral movement across Microsoft Entra ID tenants, and downstream ransomware deployment. Because the authentication originates from a trusted Microsoft endpoint, conventional URL filtering and credential-harvesting detectors frequently miss the attack, making user awareness and identity-layer controls critical. Defenders should monitor for unusual device-code sign-ins, restrict the Device Code flow via Conditional Access policies where feasible, and audit which users have recently completed device login prompts they did not initiate—organizations can quickly verify exposed credentials using a password strength and breach checker.

For security teams responding to suspected exposure, rapid validation is key. Confirming whether corporate identities have surfaced in known leaks through a data breach checker and running a broader privacy and exposure checkup can help quantify the blast radius before the stolen tokens are abused for mailbox rule manipulation, OAuth app consent, or cross-tenant pivots.

Source: The Hacker News →

Related Tools

Check whether this kind of story affects you — free, no signup:

Email Auth Check →Email Breach Check →Password Checker →

Related Guides

Learn the background behind this story:

How phishing attacks work →How to check if an email is safe →SPF, DKIM & DMARC explained →