DEBULL Tool Abuses Microsoft Device-Code Flow for M365 Account Takeover
A sophisticated phishing campaign, dubbed DEBULL, has been actively targeting Microsoft 365 accounts by exploiting the legitimate Microsoft device code flow. This campaign, observed between the last week of June 2026 and early July, bypasses traditional credential harvesting methods. Instead of directing users to fake Microsoft login pages, DEBULL employs collaboration-themed lures designed to trick victims into initiating the device code authentication process.
ZeroBEC, a threat intelligence firm, detailed the campaign's methodology. The attackers leverage a malicious collaboration-style lure, which prompts users to visit a specific Microsoft URL and enter a device code displayed on the attacker-controlled site. This interaction initiates a legitimate Microsoft authentication flow, but under the attacker's control. Once the user successfully authenticates with their Microsoft credentials via the legitimate Microsoft login experience, the attacker gains access to their M365 account.
This technique is particularly concerning as it abuses a trusted Microsoft feature designed for secure device authentication. By not relying on a fake password page, the campaign avoids common detection mechanisms that flag suspicious login interfaces. The use of collaboration lures, such as invitations to shared documents or projects, further enhances the campaign's believability, making it harder for users to discern the malicious intent. The observed timeframe indicates a recent and active threat, with the potential for widespread impact on organizations relying on Microsoft 365 for their operations.
The DEBULL campaign highlights a growing trend in phishing attacks that move beyond simple credential theft to exploit legitimate authentication protocols. This sophisticated approach requires security teams to implement more advanced detection and prevention strategies, focusing on behavioral analysis and anomaly detection within authentication flows, rather than solely on URL or page content inspection. The compromise of M365 accounts can lead to significant data breaches, financial loss, and disruption of business operations.
Original source — read the full reporting at the publisher:
Read on The Hacker News