Researchers link Microsoft device code phishing campaign to reusable DEBULL tooling

by

A Microsoft 365 device code phishing campaign targeted accounts from late June into early July 2026 and used collaboration-themed lures plus a reusable tooling layer called DEBULL, according to a technical analysis by ZeroBEC.

KEY FACTS

  • Method The campaign used Microsoft device code phishing to steer victims into a legitimate sign-in flow.
  • Lures Emails used payment and shared-folder pretexts to push recipients to click a URL.
  • Infrastructure The link led to a compromised Croatian rental website that acted as a device code orchestrator.
  • Tooling The report says DEBULL appears to be a phishing-as-a-service platform tied to GraphSpy-style post-authentication activity.

Device code phishing abuses a legitimate OAuth 2.0 flow designed for devices with limited input, such as smart TVs and printers. In this case, the attacker generates or relays a code, the victim enters it on a Microsoft login page, and the attacker can recover the resulting token.

The report says the latest campaign shares strong overlaps with activity Microsoft described in 2025 under the Storm-2372 name, including Teams-style lures and attacker-provided device codes. ZeroBEC said the workflow also carried Turkish-language developer markers, although those clues were not enough to attribute the operation with confidence.

ZeroBEC said the lure builder exposed templates for a Microsoft 365 device-code page, an OAuth callback page and a landing page, with operators able to edit HTML, CSS and JavaScript directly. The disclosure also said the lure layer can change without altering the backend identity stack.

Separate research from Cisco Talos said another panel, ARToken, exposed more than 80 API endpoints for device code phishing, token persistence, email access, business email compromise operations and SharePoint exfiltration. Other reporting has also shown Tycoon 2FA adopting the same technique after a takedown.

WHY IT MATTERS

The findings show that device code phishing is being packaged into reusable platforms that can be swapped across campaigns. That makes it easier for attackers to target Microsoft 365 accounts, keep access after a successful login, and scale follow-on fraud or data theft.