Skip to content
  • Home
  • Cyber Map
  • About Us – Contact
  • Disclaimer
  • Terms and Rules
  • Privacy Policy
Cyber Web Spider Blog – News

Cyber Web Spider Blog – News

Globe Threat Map provides a real-time, interactive 3D visualization of global cyber threats. Monitor DDoS attacks, malware, and hacking attempts with geo-located arcs on a rotating globe. Stay informed with live logs and archive stats.

  • Home
  • Cyber Map
  • Cyber Security News
  • Security Week News
  • The Hacker News
  • How To?
  • Toggle search form
Microsoft Device Code Phishing Campaign Targets M365 Accounts

Microsoft Device Code Phishing Campaign Targets M365 Accounts

Posted on July 7, 2026 By CWS

A recent wave of phishing attacks is targeting Microsoft 365 accounts by exploiting the device code authentication flow, according to a report from ZeroBEC. This campaign, active from late June to early July 2026, uses collaborative-themed lures to gain unauthorized access to victim accounts.

Phishing Tactics Leveraging Microsoft Device Code

Unlike traditional phishing methods that employ fake credential forms, this campaign utilizes genuine Microsoft device login experiences to deceive users. Attackers manipulate victims into entering a device code provided through a phishing email. Subsequently, they hijack the authentication process, allowing them to retrieve session tokens and gain account access without needing passwords.

The operation shows similarities to a campaign previously identified by Microsoft in February 2025, known as Storm-2372. Both campaigns use communication-style lures to trick users into providing their credentials alongside a malicious device code.

Understanding Device Code Phishing

Device code phishing capitalizes on the OAuth 2.0 Device Authorization Grant flow, a legitimate authentication method designed for devices with limited interfaces. This process requires users to enter a short code into a separate device’s browser. However, attackers exploit this separation by inserting themselves into the authentication flow via phishing tactics.

This strategy allows threat actors to bypass multi-factor authentication (MFA), making it a potent tool for account takeovers and business email compromise (BEC). The attack is initiated when users click on a phishing link, generating a device code that facilitates the attack.

Implications and Evolving Threats

The campaign’s infrastructure uses a platform called DEBULL, which ZeroBEC describes as a phishing-as-a-service (PhaaS) offering. This setup allows operators to customize phishing lures and manage post-authentication processes. DEBULL’s capabilities are further enhanced by the integration of GraphSpy or similar workflows for deeper exploitation.

Recent analyses by Cisco Talos highlight the sophistication of such platforms. The ARToken operator panel, for instance, offers extensive functionalities to facilitate various malicious activities, including email exfiltration and BEC operations.

As device code phishing becomes more prevalent, other PhaaS kits, such as Tycoon 2FA, have also adopted this method, indicating a significant shift in the cyber threat landscape. These developments underscore the need for enhanced security measures to protect against evolving phishing techniques.

Experts urge organizations to remain vigilant and update their security protocols to counteract these sophisticated phishing campaigns. Continuous monitoring and education on emerging threats are essential to safeguarding sensitive information and preventing unauthorized access.

The Hacker News Tags:ARToken, BEC, business email compromise, Cybersecurity, DEBULL, device authentication, device code phishing, EvilTokens, Microsoft 365, multi-factor authentication, OAuth, PhaaS, phishing attacks, Storm-2372

Post navigation

Previous Post: CISA Utilizes AI Model Mythos to Enhance Code Security
Next Post: MCP Servers Found with Thousands of Security Flaws

Related Posts

New Malware Campaign Delivers Remcos RAT Through Multi-Stage Windows Attack New Malware Campaign Delivers Remcos RAT Through Multi-Stage Windows Attack The Hacker News
NightEagle APT Exploits Microsoft Exchange Flaw to Target China’s Military and Tech Sectors NightEagle APT Exploits Microsoft Exchange Flaw to Target China’s Military and Tech Sectors The Hacker News
Iranian Cyber Threats Target U.S. Infrastructure Iranian Cyber Threats Target U.S. Infrastructure The Hacker News
DRILLAPP Backdoor Exploits Microsoft Edge in Ukraine DRILLAPP Backdoor Exploits Microsoft Edge in Ukraine The Hacker News
CISA Sounds Alarm on Critical Sudo Flaw Actively Exploited in Linux and Unix Systems CISA Sounds Alarm on Critical Sudo Flaw Actively Exploited in Linux and Unix Systems The Hacker News
Microsoft Begins NTLM Phase-Out With Three-Stage Plan to Move Windows to Kerberos Microsoft Begins NTLM Phase-Out With Three-Stage Plan to Move Windows to Kerberos The Hacker News

Categories

  • Cyber Security News
  • How To?
  • Security Week News
  • The Hacker News

Recent Posts

  • MCP Servers Found with Thousands of Security Flaws
  • Microsoft Device Code Phishing Campaign Targets M365 Accounts
  • CISA Utilizes AI Model Mythos to Enhance Code Security
  • Tarah Wheeler’s Journey: From Social Science to Cybersecurity Leadership
  • GitHub Workflow Vulnerability Exposes Private Repo Data

Pages

  • About Us – Contact
  • Disclaimer
  • Privacy Policy
  • Terms and Rules

Archives

  • July 2026
  • June 2026
  • May 2026
  • April 2026
  • March 2026
  • February 2026
  • January 2026
  • December 2025
  • November 2025
  • October 2025
  • September 2025
  • August 2025
  • July 2025
  • June 2025
  • May 2025

Recent Posts

  • MCP Servers Found with Thousands of Security Flaws
  • Microsoft Device Code Phishing Campaign Targets M365 Accounts
  • CISA Utilizes AI Model Mythos to Enhance Code Security
  • Tarah Wheeler’s Journey: From Social Science to Cybersecurity Leadership
  • GitHub Workflow Vulnerability Exposes Private Repo Data

Pages

  • About Us – Contact
  • Disclaimer
  • Privacy Policy
  • Terms and Rules

Categories

  • Cyber Security News
  • How To?
  • Security Week News
  • The Hacker News

Copyright © 2026 Cyber Web Spider Blog – News.

Powered by PressBook Masonry Dark