DEBULL Phishing-as-a-Service Abuses Microsoft Device Code Flow to Hijack M365 Accounts

A phishing-as-a-service platform dubbed DEBULL is using collaboration-themed lures and the legitimate Microsoft device-code login flow to take over Microsoft 365 accounts without ever touching a password.

Threat Intelligence Identity & Access

Researchers observed a phishing-as-a-service platform, tracked as DEBULL, running an active campaign against Microsoft 365 accounts between late June and early July 2026. Rather than presenting a fake Microsoft login page, the campaign uses collaboration-themed lures — messages styled to look like Teams or document-sharing notifications — to push victims into the real Microsoft device-code authentication flow, while a backend broker generates and polls the resulting device-code tokens on the attacker’s behalf.

Because the victim completes an authentic Microsoft authentication process, standard password-theft defenses don’t apply — there’s no credential-harvesting page to detect, and the resulting access token is legitimate. The activity shares strong infrastructure overlap with Storm-2372, a device-code phishing cluster Microsoft first documented in February 2025, and analysis indicates DEBULL likely relies on GraphSpy or a GraphSpy-derived toolset for post-exploitation access to Microsoft 365 and Entra ID.

Device-code phishing has been a growing pattern through 2026 precisely because it sidesteps conventional anti-phishing controls: users are trained to distrust unfamiliar login pages, not a legitimate microsoft.com device-code prompt delivered through a chat message.

If your organization hasn’t restricted the device code authentication flow, do so through Conditional Access policies in Entra ID, scoping it only to devices and scenarios that genuinely require it. Review sign-in logs for device-code grant events tied to unfamiliar client IDs or unusual geographic origins, and brief users that a legitimate-looking Microsoft sign-in prompt triggered by a chat or email link is still worth a second look.

Why it matters: Device-code phishing bypasses your password and MFA prompts entirely by tricking users into authorizing a real Microsoft session — if you haven't already, restrict or disable the device code auth flow in Entra ID via Conditional Access unless a specific business case requires it.

Read source →