All Topics
All Topics
Technology
Technology
AI
AI
Business
Business
Entertainment
Entertainment
News
News
Programming
Programming
Science
Science
Design
Design
Environment
Environment
Finance
Finance
Crypto
Crypto
Politics
Politics
Sports
Sports
Education
Education
Gaming
Gaming
Art
Art
Music
Music
Health
Health
Security
Security
Books
Books
Food
Food
Travel
Travel
Personal
Personal
Bluesky
Twitter
Baker's Take· 2 sources

Device code phishing wave hijacks Microsoft 365 accounts through legitimate login flow

By

Mr Bagel

· 5h ago

A phishing campaign observed in late June and early July 2026 has been tricking Microsoft 365 users into authorizing attacker sessions by abusing the platform's legitimate device code login flow. According to security firm ZeroBEC, the operation did not rely on fake password pages. "The campaign did not depend on a fake Microsoft password page. It used a malicious collaboration-style lure to push users into the legitimate Microsoft device login experience," ZeroBEC reported via The Hacker News.

Device code phishing wave hijacks Microsoft 365 accounts through legitimate login flow

Attackers used collaboration-themed lures hosted on a compromised Croatian rental website to direct victims to a real Microsoft device authentication page. Once there, users were prompted to enter a code that granted the attackers an access token, effectively handing over control of the account. "It used a malicious collaboration-style lure to push users into the legitimate Microsoft device login experience," The Hacker News noted, repeating the finding.

The campaign has been linked to reusable tooling and Phishing-as-a-Service (PhaaS) platforms. Hendry Adrian reported that security researchers at ZeroBEC and Cisco Talos connected the activity to "DEBULL, Storm-2372-style tradecraft, EvilTokens, ARToken, and Tycoon 2FA," indicating a sophisticated ecosystem behind the attacks. "The campaign abused Microsoft's legitimate device login flow to trick victims into authorizing attacker sessions," Hendry Adrian added.

By leveraging a legitimate Microsoft process, the attackers bypassed many traditional security warnings that users rely on to spot phishing attempts. The use of a compromised legitimate website as a lure and the reuse of commercial PhaaS tools suggests this is not an isolated incident but part of a broader, well-resourced effort to target M365 accounts.

The reporting

2 outlets covered this story. Each links to the original.

0

Comments

Sign in to join the conversation.

No comments yet. Be the first.