Recent cybersecurity analyses have uncovered a sophisticated phishing campaign targeting Microsoft 365 (M365) accounts. This operation employs collaboration-themed lures to deceive users into granting unauthorized access to their accounts. The campaign, active from late June to early July 2026, notably avoids traditional fake login pages. Instead, it manipulates users into engaging with legitimate Microsoft device login prompts, thereby facilitating account compromise.
Central to this attack is the exploitation of the OAuth 2.0 Device Authorization Grant flow, a mechanism designed for devices with limited input capabilities, such as smart TVs or printers. In standard use, this flow allows users to authenticate by entering a code displayed on the device into a web browser on a separate device. Attackers have subverted this process by generating device codes and presenting them to users through phishing emails or messages. When users input these codes into the legitimate Microsoft authentication portal, they inadvertently grant the attackers access to their accounts.
This method is particularly insidious because it bypasses traditional security measures, including multi-factor authentication (MFA). By leveraging the legitimate authentication flow, attackers can gain persistent access without needing to steal passwords directly. This approach has been previously documented in campaigns attributed to threat actors like Storm-2372, which utilized similar tactics to compromise accounts.
The current campaign appears to utilize a reusable tooling layer referred to as DEBULL. This tool enables attackers to automate the generation and polling of device codes, streamlining the phishing process and increasing the efficiency of their operations. The use of such tooling indicates a level of sophistication and resource investment, suggesting that these attacks are likely to continue evolving.
Successful exploitation through device code phishing can lead to full account takeovers, data theft, fraud, and further propagation of malicious activities within compromised environments. The ability to bypass MFA and other security protocols underscores the need for heightened vigilance and the implementation of additional security measures.
To mitigate the risks associated with such attacks, organizations and individuals should consider implementing conditional access policies that restrict device code authentication to trusted devices. Regular user education on recognizing phishing attempts and the importance of verifying authentication requests is also crucial. Additionally, monitoring for unusual authentication patterns can help in early detection and response to potential compromises.
The emergence of DEBULL and similar tools highlights the ongoing evolution of phishing tactics. As attackers continue to refine their methods, it is imperative for security practices to adapt accordingly. Organizations must stay informed about emerging threats and continuously assess and enhance their security postures to protect against sophisticated phishing campaigns.