Researchers observed a phishing-as-a-service platform, tracked as DEBULL, running an active campaign against Microsoft 365 accounts between late June and early July 2026. Rather than presenting a fake Microsoft login page, the campaign uses collaboration-themed lures — messages styled to look like Teams or document-sharing notifications — to push victims into the real Microsoft device-code authentication flow, while a backend broker generates and polls the resulting device-code tokens on the attacker’s behalf.
Because the victim completes an authentic Microsoft authentication process, standard password-theft defenses don’t apply — there’s no credential-harvesting page to detect, and the resulting access token is legitimate. The activity shares strong infrastructure overlap with Storm-2372, a device-code phishing cluster Microsoft first documented in February 2025, and analysis indicates DEBULL likely relies on GraphSpy or a GraphSpy-derived toolset for post-exploitation access to Microsoft 365 and Entra ID.
Device-code phishing has been a growing pattern through 2026 precisely because it sidesteps conventional anti-phishing controls: users are trained to distrust unfamiliar login pages, not a legitimate microsoft.com device-code prompt delivered through a chat message.
If your organization hasn’t restricted the device code authentication flow, do so through Conditional Access policies in Entra ID, scoping it only to devices and scenarios that genuinely require it. Review sign-in logs for device-code grant events tied to unfamiliar client IDs or unusual geographic origins, and brief users that a legitimate-looking Microsoft sign-in prompt triggered by a chat or email link is still worth a second look.