DEBULL Phishing Toolkit Targets Microsoft 365 Accounts Through Device Code Authentication Abuse

DEBULL Phishing Toolkit Targets Microsoft 365 Accounts Through Device Code Authentication Abuse

Security researchers have uncovered a Microsoft 365 phishing campaign that abuses Microsoft’s legitimate device code authentication process to compromise user accounts without relying on fake login pages. According to a report from ZeroBEC, the campaign was active from the final week of June through early July 2026 and used collaboration themed phishing messages to convince users to complete a genuine Microsoft device authentication request. Instead of directing victims to fraudulent credential harvesting pages, the attackers relied on a backend broker that generated and continuously polled Microsoft Authentication Broker device code tokens, allowing them to obtain authenticated session tokens after victims completed the sign in process. Researchers said the campaign shares significant similarities with activity previously attributed by Microsoft to Storm 2372 in February 2025, particularly through the use of Microsoft Teams style lures that persuade victims to enter attacker supplied device codes. However, ZeroBEC believes the latest activity is powered by a reusable phishing infrastructure known as DEBULL, enabling different operators to reuse the same attack framework while changing only the phishing content presented to victims.

Device code phishing has emerged as an increasingly popular identity theft technique because it abuses Microsoft’s legitimate OAuth 2.0 Device Authorization Grant workflow instead of exploiting software vulnerabilities or stealing passwords directly. The authentication process was originally designed for devices with limited user interfaces, including smart televisions and printers, allowing users to authenticate through a separate browser by entering a short verification code displayed on the device. Threat actors exploit this trusted workflow by generating a valid device code themselves and sending it to victims through phishing emails. Once the victim enters the code and completes authentication, the attackers receive valid session tokens that provide access to Microsoft 365 accounts without requiring passwords or bypassing multifactor authentication through traditional means. Researchers noted that this method allows attackers to walk through a legitimate authentication process rather than compromise credentials through counterfeit login portals. Successful attacks can result in complete account takeover, business email compromise, data theft, financial fraud, ransomware deployment, and lateral movement across enterprise environments. Proofpoint previously reported that modern phishing operations now generate device codes dynamically whenever recipients click phishing links, allowing campaigns to remain effective regardless of when the email is opened. Security researchers have also observed these attack methods becoming commercially available through Phishing as a Service platforms including EvilTokens and Tycoon, making sophisticated identity attacks more accessible to cybercriminal groups.

ZeroBEC reported that the campaign it investigated used payment notifications and shared folder invitations as phishing lures that redirected victims to a compromised Croatian rental website. That compromised website functioned as the orchestrator for Microsoft’s device code authentication process, initiating the attack while maintaining the appearance of a legitimate service. Researchers also identified Turkish language developer markers within the infrastructure, although they stated there was insufficient evidence to attribute the campaign to a specific threat actor. Technical analysis suggests that DEBULL functions as a Phishing as a Service platform integrated with GraphSpy or a GraphSpy derived workflow for post compromise activities involving Microsoft 365 and Microsoft Entra environments. The toolkit enables operators to customize phishing pages by modifying HTML, CSS, JavaScript, page names, and publication methods while relying on a common backend infrastructure. Embedded templates include Microsoft 365 device code authentication pages, OAuth callback pages, and landing pages that guide victims through the legitimate Microsoft authentication process. Researchers stated that separating the phishing interface from the backend infrastructure allows operators to modify phishing campaigns without rebuilding the identity compromise mechanisms, making the platform highly adaptable for different attack scenarios.

The findings coincide with separate research from Cisco Talos describing another Phishing as a Service platform called ARToken, which shares infrastructure, operational behavior, and programming interfaces with the EvilTokens platform. According to Talos, ARToken provides more than 80 application programming interfaces supporting device code phishing, Primary Refresh Token persistence, email operations, SharePoint data extraction, and business email compromise activities through a web based operator dashboard. Similar to DEBULL, the platform enables attackers to weaponize stolen authentication tokens to access Microsoft Graph API resources, retrieve emails and files, maintain persistent access, and perform reconnaissance across compromised Microsoft 365 environments. Talos also reported that ARToken incorporates artificial intelligence capabilities that automate business email compromise operations by identifying financial conversations within harvested email accounts and generating convincing fraudulent messages. Researchers further noted that Tycoon 2FA has also adopted device code phishing techniques after resuming operations following previous law enforcement action, reflecting the growing adoption of legitimate OAuth authentication abuse across the cyber threat landscape. The continued development of platforms such as DEBULL, ARToken, EvilTokens, and Tycoon demonstrates how attackers are increasingly focusing on identity based attacks that exploit trusted authentication mechanisms instead of relying solely on credential theft or software vulnerabilities.

Source

Follow the SPIN IDG WhatsApp Channel for updates across the Smart Pakistan Insights Network covering all of Pakistan’s technology ecosystem.

Post Comment