Device code phishing wave hijacks Microsoft 365 accounts through legitimate login flow
By
Mr Bagel
A phishing campaign observed in late June and early July 2026 has been tricking Microsoft 365 users into authorizing attacker sessions by abusing the platform's legitimate device code login flow. According to security firm ZeroBEC, the operation did not rely on fake password pages. "The campaign did not depend on a fake Microsoft password page. It used a malicious collaboration-style lure to push users into the legitimate Microsoft device login experience," ZeroBEC reported via The Hacker News.
Attackers used collaboration-themed lures hosted on a compromised Croatian rental website to direct victims to a real Microsoft device authentication page. Once there, users were prompted to enter a code that granted the attackers an access token, effectively handing over control of the account. "It used a malicious collaboration-style lure to push users into the legitimate Microsoft device login experience," The Hacker News noted, repeating the finding.
The campaign has been linked to reusable tooling and Phishing-as-a-Service (PhaaS) platforms. Hendry Adrian reported that security researchers at ZeroBEC and Cisco Talos connected the activity to "DEBULL, Storm-2372-style tradecraft, EvilTokens, ARToken, and Tycoon 2FA," indicating a sophisticated ecosystem behind the attacks. "The campaign abused Microsoft's legitimate device login flow to trick victims into authorizing attacker sessions," Hendry Adrian added.
By leveraging a legitimate Microsoft process, the attackers bypassed many traditional security warnings that users rely on to spot phishing attempts. The use of a compromised legitimate website as a lure and the reuse of commercial PhaaS tools suggests this is not an isolated incident but part of a broader, well-resourced effort to target M365 accounts.
The reporting
2 outlets covered this story. Each links to the original.
Baker's Take
Comments
Sign in to join the conversation.
No comments yet. Be the first.