Full Report
A Microsoft 365 device code phishing campaign has been observed leveraging collaboration-themed lures to take control of victim accounts between the last week of June 2026 and into early July, per findings from ZeroBEC. "The campaign did not depend on a fake Microsoft password page. It used a malicious collaboration-style lure to push users into the legitimate Microsoft device login experience,
Analysis Summary
# Tool/Technique: DEBULL (Device Code Phishing)
## Overview
DEBULL is a reusable tooling layer and framework designed to automate and scale Microsoft 365 device code phishing campaigns. It abuses the legitimate OAuth 2.0 Device Authorization Grant flow to bypass multi-factor authentication (MFA) and gain persistent account access. Unlike traditional phishing, it does not use fake login pages but instead brokers the authentication session between the victim and the legitimate Microsoft login service.
## Technical Details
- **Type:** Attack Tooling / Phishing-as-a-Service (PhaaS) component
- **Platform:** Microsoft 365 (SaaS), Windows, macOS, Linux, Mobile (via browser)
- **Capabilities:** Automated token polling, backend broker for Microsoft Authentication Broker, MFA bypass, session hijacking.
- **First Seen:** Observed in active campaigns June/July 2026 (linked to tradecraft seen as early as February 2025).
## MITRE ATT&CK Mapping
- **[TA0001 - Initial Access]**
- [T1566.002 - Phishing: Spearphishing Link]
- **[TA0006 - Credential Access]**
- [T1528 - Steal Application Access Token]
- **[TA0004 - Privilege Escalation]**
- [T1550.004 - Use Alternate Authentication Material: Web Session Cookie/Access Token]
## Functionality
### Core Capabilities
- **Device Authorization Grant Abuse:** Requests a device code from Microsoft on behalf of the attacker and presents it to the user.
- **MFA Bypass:** Because the user authenticates via the legitimate Microsoft portal, any MFA requirement is satisfied by the user, but the resulting token is granted to the attacker's session.
- **Automated Token Polling:** The backend broker continuously polls the Microsoft API to detect when the victim has entered the code, immediately capturing the access and refresh tokens.
### Advanced Features
- **Legacy Compatibility:** Exploits flows intended for devices with limited input (Smart TVs, printers) to target standard enterprise accounts.
- **Dynamic Link Generation:** Links are generated dynamically, allowing the attack chain to remain "live" even if the email is opened long after it was sent.
- **Broker Infrastructure:** Uses a middle-tier server (DEBULL) to manage the interaction between the phishing lure and the Microsoft identity platform.
## Indicators of Compromise
- **File Hashes:** N/A (Tooling is server-side/web-based)
- **File Names:** N/A
- **Registry Keys:** N/A
- **Network Indicators:**
- `microsoft.com/devicelogin` (Legitimate site, but unauthorized use in logs)
- `login.microsoftonline[.]com`
- Compromised redirector domains (e.g., various hijacked Croatian rental websites mentioned in the source).
- **Behavioral Indicators:**
- Logins for "Cross-Platform Command Line Interface" or "Microsoft PowerShell" from unexpected IP addresses.
- Successful logins where the `Authentication Protocol` is identified as `DeviceCode`.
## Associated Threat Actors
- **Storm-2372** (High overlap in TTPs)
- **ZeroBEC** (Researching entity)
## Detection Methods
- **Behavioral Detection:** Monitor Entra ID (Azure AD) Sign-in logs for the "Device Code" authentication method, especially when originating from unknown or non-corporate IP ranges.
- **Sign-in Analysis:** Look for successful logins to the "Microsoft Office" or "Command Line" applications where no interactive password prompt was recorded for that specific session.
- **SIEM Rules:** Alert on multiple "failed" device code polling attempts followed by a single successful token issuance.
## Mitigation Strategies
- **Conditional Access Policies:** Explicitly disable the Device Code flow for users who do not require it for their job functions.
- **Strict MFA:** Ensure MFA is required for all primary authentication, though note that Device Code phishing is specifically designed to circumvent session-based MFA.
- **User Education:** Train users to never enter a code into `microsoft.com/devicelogin` unless they personally initiated a sign-in on a secondary device (like a TV or printer).
- **App Restrictions:** Limit the "Microsoft Office" and "PowerShell" applications to known-managed devices.
## Related Tools/Techniques
- **EvilTokens:** A similar PhaaS framework used for token theft.
- **Tycoon:** An AitM (Adversary-in-the-Middle) phishing kit.
- **GraphSpy:** A tool used for post-exploitation and data exfiltration after token capture.