← All stories
● Covered by 1 source Β· 1 reportHigh impact

Microsoft 365 Device Code Phishing Targeting Using DEBULL Tooling Identified

Aggregated by BrevFeed security Β· updated 2h ago
πŸ”– Save

A new phishing campaign targeting Microsoft 365 accounts employs collaboration-themed lures and a reusable tool called DEBULL, exploiting the Microsoft device code authentication flow. This technique allows attackers to bypass multi-factor authentication by tricking users into entering device codes, effectively hijacking their accounts.

Key points

Device Code Phishing Overview

The observed phishing campaign leverages the OAuth 2.0 authentication mechanism's Device Authorization Grant flow to gain account access without stealing passwords. Unlike traditional phishing methods, this approach manipulates users into completing a real authentication prompt.

DEBULL Tooling

The cybersecurity firm ZeroBEC reported that the threat actors are using a reusable tooling layer named DEBULL, which allows them to employ tactics similar to a previous campaign identified by Microsoft in February 2025, known as Storm-2372.

Exploitation Mechanism

Attackers present a legitimate Microsoft device code login interface to deceive users into entering device codes. The decoded information gives the attackers control over the victim's account, bypassing traditional security solutions like multi-factor authentication.

By introducing this method, the attackers exploit the authentication flow rather than creating adversary-in-the-middle login pages, significantly increasing effectiveness.

Impact on Microsoft 365 Users

This campaign represents a significant risk for Microsoft 365 users due to its ability to bypass established security protocols. The use of authentic authentication prompts increases the likelihood that victims will unknowingly compromise their accounts. Awareness of this method is crucial to enhance vigilance against such sophisticated phishing tactics.

Conclusion and Recommendations

Organizations using Microsoft 365 should educate users about the risks of device code phishing and encourage them to verify any unusual authentication requests. Implementing additional security measures can help mitigate the impact of such campaigns.

✨ This summary was generated by AI from the outlets' reporting listed below. It is not independently verified and may contain errors β€” check the original sources. How BrevFeed works β†’

Primary sources

GitHub RedByte1337/GraphSpy CVE CVE-2026-552008.1 HIGH CVE CVE-2026-468179.8 CRITICAL

Reporting from

A new phishing campaign targeting Microsoft 365 accounts employs collaboration-themed lures and a reusable tool called DEBULL, exploiting the Microsoft device code authentication flow. This technique allows attackers to bypass multi-factor authentication by tricking users into entering device codes, effectively hijacking their accounts.