A recent wave of phishing attacks is targeting Microsoft 365 accounts by exploiting the device code authentication flow, according to a report from ZeroBEC. This campaign, active from late June to early July 2026, uses collaborative-themed lures to gain unauthorized access to victim accounts.
Phishing Tactics Leveraging Microsoft Device Code
Unlike traditional phishing methods that employ fake credential forms, this campaign utilizes genuine Microsoft device login experiences to deceive users. Attackers manipulate victims into entering a device code provided through a phishing email. Subsequently, they hijack the authentication process, allowing them to retrieve session tokens and gain account access without needing passwords.
The operation shows similarities to a campaign previously identified by Microsoft in February 2025, known as Storm-2372. Both campaigns use communication-style lures to trick users into providing their credentials alongside a malicious device code.
Understanding Device Code Phishing
Device code phishing capitalizes on the OAuth 2.0 Device Authorization Grant flow, a legitimate authentication method designed for devices with limited interfaces. This process requires users to enter a short code into a separate device’s browser. However, attackers exploit this separation by inserting themselves into the authentication flow via phishing tactics.
This strategy allows threat actors to bypass multi-factor authentication (MFA), making it a potent tool for account takeovers and business email compromise (BEC). The attack is initiated when users click on a phishing link, generating a device code that facilitates the attack.
Implications and Evolving Threats
The campaign’s infrastructure uses a platform called DEBULL, which ZeroBEC describes as a phishing-as-a-service (PhaaS) offering. This setup allows operators to customize phishing lures and manage post-authentication processes. DEBULL’s capabilities are further enhanced by the integration of GraphSpy or similar workflows for deeper exploitation.
Recent analyses by Cisco Talos highlight the sophistication of such platforms. The ARToken operator panel, for instance, offers extensive functionalities to facilitate various malicious activities, including email exfiltration and BEC operations.
As device code phishing becomes more prevalent, other PhaaS kits, such as Tycoon 2FA, have also adopted this method, indicating a significant shift in the cyber threat landscape. These developments underscore the need for enhanced security measures to protect against evolving phishing techniques.
Experts urge organizations to remain vigilant and update their security protocols to counteract these sophisticated phishing campaigns. Continuous monitoring and education on emerging threats are essential to safeguarding sensitive information and preventing unauthorized access.
