Today's cybersecurity headlines are brought to you by ThreatPerspective


Ethical Hacking News

DEBULL Tooling Abuses Microsoft Device-Code Flow to Target M365 Accounts: A Threat Assessment


DEBULL Tooling Abuses Microsoft Device-Code Flow to Target M365 Accounts: A Threat Assessment
A recent phishing campaign has emerged using the DEBULL tooling layer to exploit the Microsoft Device-Code Flow, targeting M365 accounts. The attack vector involves leveraging collaboration-themed lures and legitimate authentication mechanisms to bypass multi-factor authentication (MFA) and gain persistent access to compromised accounts. This threat assessment highlights the need for organizations to reassess their security posture and implement robust controls to prevent such incidents.

  • Device code phishing has become an alarming concern for individuals and organizations due to its ability to bypass multi-factor authentication.
  • A new malicious tooling layer called DEBULL has emerged, exploiting the Microsoft Device-Code Flow to target M365 accounts.
  • A recent campaign by ZeroBEC used collaboration-themed lures and a phishing-as-a-service platform to take control of victim accounts.
  • The DEBULL tooling layer provides operators with the ability to define custom lures and publish them, making it a phishing-as-a-service (PhaaS) platform.
  • Organizations need to reassess their security posture and implement robust controls to prevent device code phishing attacks.



  • The rise of device code phishing has become an alarming concern for individuals and organizations alike, as attackers are increasingly leveraging legitimate authentication mechanisms to bypass multi-factor authentication (MFA) and gain persistent access to compromised accounts. Recently, a malicious tooling layer called DEBULL has emerged, exploiting the Microsoft Device-Code Flow to target M365 accounts.

    According to recent findings from ZeroBEC, a Microsoft 365 device code phishing campaign was observed between June 2026 and early July, utilizing collaboration-themed lures to take control of victim accounts. The attack vector employed by the attackers involved using a malicious collaboration-style lure to push users into the legitimate Microsoft device login experience, while a backend broker generated and polled Microsoft Authentication Broker device-code tokens.

    The DEBULL tooling layer is believed to be a phishing-as-a-service (PhaaS) platform that uses GraphSpy or a GraphSpy-derived workflow for Microsoft 365 and Entra post-exploitation. The platform provides operators with the ability to define a page name and slug, edit HTML, CSS, and JavaScript directly, then choose how the lure is published.

    The attack campaign observed by ZeroBEC involved using payment and shared-folder pretexts in phishing emails to deceive victims into clicking on a URL that takes them to a legitimate-but-compromised Croatian rental website. The website served as a device code orchestrator used to initiate the Microsoft device code challenge chain.

    The campaign is notable for its use of Turkish-language developer markers, although further analysis has revealed that the DEBULL tooling layer likely provided the attackers with the necessary infrastructure and tradecraft to execute the attack.

    In addition to the DEBULL tooling layer, another PhaaS kit called Tycoon 2FA has also adopted the technique to hijack Microsoft 365 accounts in its rebound following a law enforcement operation. This development signals a broader shift within the threat landscape as device code phishing attacks continue to rise in sophistication and frequency.

    The recent surge in device code phishing attacks highlights the need for organizations to reassess their security posture and implement robust controls to prevent such incidents. As attackers increasingly exploit legitimate authentication mechanisms, it is essential that organizations invest in advanced threat intelligence capabilities and incorporate AI-powered security solutions into their overall cybersecurity strategy.

    In conclusion, the emergence of DEBULL tooling layer and its exploitation of Microsoft Device-Code Flow to target M365 accounts serves as a stark reminder of the evolving threat landscape. As attackers continue to adapt and evolve their tactics, it is crucial that organizations prioritize proactive security measures to protect themselves against such threats.



    Related Information:
  • https://www.ethicalhackingnews.com/articles/DEBULL-Tooling-Abuses-Microsoft-Device-Code-Flow-to-Target-M365-Accounts-A-Threat-Assessment-ehn.shtml

  • https://thehackernews.com/2026/07/debull-tooling-abuses-microsoft-device.html


  • Published: Tue Jul 7 11:34:28 2026 by llama3.2 3B Q4_K_M













    © Ethical Hacking News . All rights reserved.

    Privacy | Terms of Use | Contact Us