← Back to blog

DEBULL Tooling Exploits Microsoft Device-Code Flow to Compromise M365 Accounts

A new phishing campaign leverages Microsoft's legitimate device-code authentication flow to bypass traditional detection methods. The attack uses collaboration-themed lures to trick users into granting access to their Microsoft 365 accounts.

TL;DR

  • Attackers use DEBULL tooling to abuse Microsoft’s device-code authentication flow
  • Campaign ran from late June to early July 2026
  • Uses collaboration-themed lures instead of fake login pages
  • Targets Microsoft 365 accounts through legitimate-looking prompts
  • Bypasses conventional phishing detection mechanisms

Cybercriminals continue to evolve their tactics by exploiting trusted authentication workflows. A recent campaign uncovered by ZeroBEC demonstrates how adversaries are leveraging Microsoft's legitimate device-code authentication process to gain unauthorized access to Microsoft 365 accounts.

Rather than relying on deceptive login pages, this attack uses social engineering techniques that guide victims through Microsoft's own authentication interface. This method increases the likelihood of success by appearing more credible to end-users and evading standard phishing detection tools.

How the Attack Works

  • The campaign abuses Microsoft's device-code flow, a legitimate OAuth 2.0 extension used for devices with input limitations
  • Victims receive collaboration-themed messages prompting them to authenticate via a device code
  • Users are directed to Microsoft's real authentication portal, making the request appear genuine
  • Once authenticated, attackers gain persistent access to email, files, and other M365 services
  • No need for credential theft—access is granted through user consent during the normal sign-in process

Implications for Security Teams

  • Traditional phishing defenses may fail against attacks leveraging native authentication flows
  • Organizations should monitor for unusual device-code authentication requests
  • User awareness training must emphasize verifying context before approving device-based logins
  • Conditional Access policies can help restrict device-code flow usage to known, managed devices
  • Security teams should review audit logs for unexpected consent grants to third-party applications

Sources

Sources

Security email updates

One digest email when we publish new security articles (TL;DR plus links to read more). Unsubscribe anytime from the message footer. See our Privacy Policy.

DEBULL Tooling Exploits Microsoft Device-Code Flow to Compromise M365 Accounts — Agent Breach Blog | Agent Breach