**Understanding the Microsoft 365 Device Code Phishing Surge: How “DEBULL” is Weaponizing Legitimate Authentication**
In the evolving landscape of cyber threats, attackers are constantly refining their methods to bypass traditional security measures. A recent analysis highlights a sophisticated phishing campaign observed in mid-2026 that exemplifies this evolution. This campaign, tracked by cybersecurity firm ZeroBEC, leverages a technique known as device code phishing to hijack Microsoft 365 accounts, bypassing multi-factor authentication (MFA) without needing to crack a single password.
The operation, active during the last week of June 2026 and into early July, utilized collaboration-themed lures to deceive victims. Unlike classic phishing attacks that present fake login pages, this method exploits a legitimate OAuth 2.0 feature built into Microsoft’s authentication system. The attack doesn’t try to break in; it tricks the user into letting the attacker in.
**How the Attack Works: Weaponizing a Legitimate Feature**
Device code authentication is a standard process designed for devices with limited interfaces, like smart TVs or printers. When a user attempts to sign in, they are presented with a code on their device. They must then switch to a browser on another device, navigate to a Microsoft page, and enter the code to complete the login.
The phishing campaign masterfully abuses this workflow:
1. **The Lure:** Victims receive an email with a collaboration or Teams-style pretext, prompting them to click a link.
2. **The Interception:** The link directs the user to a malicious but convincing page hosted on a compromised legitimate site (in this case, a Croatian rental website). This page acts as an orchestrator.
3. **The Trap:** The malicious page dynamically generates a Microsoft device code and displays Microsoft’s official-looking device login interface.
4. **The Handover:** The user is instructed to switch back to their browser, go to `microsoft.com/devicelogin`, and enter the code they see on the malicious page.
5. **The Compromise:** Unbeknownst to the user, entering the code grants the attacker’s session immediate access to their account. The user essentially hands over their session token, bypassing MFA entirely.
**The “DEBULL” Infrastructure: Phishing as a Service (PhaaS)**
What makes this campaign particularly concerning is its reusable and modular nature. Security researchers assess that the threat actors are using a framework called **”DEBULL”**, a Phishing-as-a-Service (PhaaS) platform. This “tooling layer” allows operators to easily create and deploy these sophisticated campaigns without deep technical expertise.
DEBULL provides a web-based dashboard where operators can customize the phishing lure, edit HTML/CSS/JavaScript, and manage the backend infrastructure. Crucially, the backend handles the complex authentication flow with Microsoft’s servers, abstracting this away from the attacker. This separation of the “lure” from the “backend identity stack” makes the operation flexible and resilient; attackers can change the email template while using the same malicious authentication engine.
**Connections to Known Threats and a Growing Ecosystem**
This campaign is not an isolated incident. Analysis reveals “strong” overlaps with a previous campaign documented by Microsoft in early 2025, known as **Storm-2372**. The new operation appears to be an evolution of that earlier work, now packaged and distributed through the DEBULL platform.
This trend highlights the emergence of a mature, service-based ecosystem for these attacks. Tools like DEBULL are often linked to other PhaaS kits. For instance, researchers have also observed the “ARToken” platform, described as a “fully-featured PhaaS operator panel,” which shares infrastructure and operational patterns with other device code phishing tools. These platforms often include advanced features like AI-powered automation for business email compromise (BEC), allowing attackers to sift through compromised emails for financial information.
**A Broader Shift in Tactics**
The rise of DEBULL and similar platforms signals a broader shift in the threat landscape. Attackers are moving away from crude email spoofing and towards more insidious methods that abuse the very security features designed to protect users. Device code phishing represents a significant step forward for cybercriminals, offering a reliable way to compromise accounts protected by MFA—the very security measure users and organizations rely on.
As law enforcement actions disrupt one PhaaS platform, others quickly adapt and emerge, repurposing existing kits for new campaigns. This cat-and-mouse game underscores the need for organizations to look beyond traditional defenses and implement more advanced security measures, such as strict Conditional Access policies and user training focused on these novel social engineering techniques.
***
**Original Article Source:**
This article is based on the report “Microsoft 365 device code phishing campaigns observed leveraging collaboration-themed lures” published by **The Hacker News**. The original article can be found at the following link: [https://www.thehackernews.com/2026/07/microsoft-365-device-code-phishing.html](https://www.thehackernews.com/2026/07/microsoft-365-device-code-phishing.html)



