A new phishing campaign targeting Microsoft 365 accounts employs collaboration-themed lures and a reusable tool called DEBULL, exploiting the Microsoft device code authentication flow. This technique allows attackers to bypass multi-factor authentication by tricking users into entering device codes, effectively hijacking their accounts.
The observed phishing campaign leverages the OAuth 2.0 authentication mechanism's Device Authorization Grant flow to gain account access without stealing passwords. Unlike traditional phishing methods, this approach manipulates users into completing a real authentication prompt.
The cybersecurity firm ZeroBEC reported that the threat actors are using a reusable tooling layer named DEBULL, which allows them to employ tactics similar to a previous campaign identified by Microsoft in February 2025, known as Storm-2372.
Attackers present a legitimate Microsoft device code login interface to deceive users into entering device codes. The decoded information gives the attackers control over the victim's account, bypassing traditional security solutions like multi-factor authentication.
By introducing this method, the attackers exploit the authentication flow rather than creating adversary-in-the-middle login pages, significantly increasing effectiveness.
This campaign represents a significant risk for Microsoft 365 users due to its ability to bypass established security protocols. The use of authentic authentication prompts increases the likelihood that victims will unknowingly compromise their accounts. Awareness of this method is crucial to enhance vigilance against such sophisticated phishing tactics.
Organizations using Microsoft 365 should educate users about the risks of device code phishing and encourage them to verify any unusual authentication requests. Implementing additional security measures can help mitigate the impact of such campaigns.
β¨ This summary was generated by AI from the outlets' reporting listed below. It is not independently verified and may contain errors β check the original sources. How BrevFeed works β
A new phishing campaign targeting Microsoft 365 accounts employs collaboration-themed lures and a reusable tool called DEBULL, exploiting the Microsoft device code authentication flow. This technique allows attackers to bypass multi-factor authentication by tricking users into entering device codes, effectively hijacking their accounts.