First reported by thehackernews.com
DEBULL Tooling Abuses Microsoft Device-Code Flow to Target M365 Accounts
Microsoft 365 device code phishing campaign abuses legitimate login flow to target accounts
By
CybersecurityNews
2h ago· 1 min readenNews
Summary
A Microsoft 365 device code phishing campaign observed in late June and early July 2026 abused Microsoft's legitimate device login flow to trick victims into authorizing attacker sessions. The campaign used collaboration-themed lures and a compromised Croatian rental website. Security firms ZeroBEC and Cisco Talos linked the activity to reusable tooling and PhaaS (Phishing-as-a-Service) ecosystems including DEBULL, Storm-2372-style tradecraft, EvilTokens, ARToken, and Tycoon 2FA.
Source
bskyMicrosoft 365 device code phishing campaign abuses legitimate login flow to target accountshendryadrian.comKey quotes
· 2 pulledA Microsoft 365 device code phishing campaign observed in late June and early July 2026 used collaboration-themed lures and a compromised Croatian rental website to trick victims into authorizing attacker sessions through Microsoft's legitimate device login flow.
ZeroBEC and Cisco Talos linked the activity to reusable tooling and PhaaS ecosystems including DEBULL, Storm-2372-style tradecraft, EvilTokens, ARToken, and Tycoon 2FA.
A Microsoft 365 device code phishing campaign observed in late June and early July 2026 used collaboration-themed lures and a compromised Croatian rental website to trick victims into authorizing attacker sessions through Microsoft’s legiti...
You might also wanna read
DEBULL Tooling Abuses Microsoft Device-Code Flow to Target M365 Accounts
thehackernews.com·5h ago

ARToken PhaaS exposes EvilTokens' Microsoft 365 phishing toolkit
BleepingComputer·4d ago

ConsentFix and ClickFix: How Microsoft 365 Accounts are Hijacked in 3 Seconds
BleepingComputer·5d ago
Azure CLI Password Spray Attack Exposes Microsoft 365 MFA Gap
BackBox.org·1d ago
Microsoft Can Track Users Via a Windows Device ID
Slashdot·3h ago
Microsoft uncovers Tor-based cryptocurrency clipper malware with worm-like propagation
Microsoft Threat Intelligence identified a Windows-based cryptocurrency clipper malware campaign active since February 2026. The malware use
microsoft.com·18d ago

Comments
Sign in to join the conversation.
No comments yet. Be the first.