DEBULL Tooling Leverages Microsoft Device-Code Flow for M365 Account Targeting
Threat actors are using the DEBULL tooling layer to automate and scale device code phishing campaigns, exploiting the legitimate Microsoft Device Authorization Grant flow to bypass MFA and gain persistent access to M365 accounts. This infrastructure enables advanced Business Email Compromise (BEC) operations by combining phishing lures with token harvesting and post-compromise toolkit functionalities.
A Microsoft 365 device code phishing campaign has been observed leveraging collaboration-themed lures to take control of victim accounts between the last week of June 2026 and into early July, per findings from ZeroBEC.
"The campaign did not depend on a fake Microsoft password page. It used a malicious collaboration-style lure to push users into the legitimate Microsoft device login experience,
*** END OF TRANSMISSION ***