A phishing campaign dubbed DEBULL exploits Microsoft's device-code authentication flow to compromise Microsoft 365 accounts. ZeroBEC researchers observed the attack between late June and early July 2026, targeting users through collaboration-themed lures.

The attack bypasses traditional phishing defenses by avoiding fake login pages entirely. Instead, attackers craft convincing messages impersonating legitimate collaboration requests. Victims receive links that redirect them to Microsoft's authentic device login experience, a feature designed to simplify authentication on shared or untrusted devices.

Users enter a device code provided by attackers into the legitimate Microsoft login portal. This code grants the attackers access to victim accounts without requiring password theft or credential harvesting. The method exploits user trust in genuine Microsoft interfaces, making detection harder for both users and security systems scanning for counterfeit login pages.

The device-code flow, documented in Microsoft's OAuth 2.0 specifications, targets systems with limited input capabilities. Attackers abuse this legitimate authentication mechanism by controlling the code generation and redemption process. Once attackers obtain account access, they gain full control of Microsoft 365 environments, including email, OneDrive, SharePoint, and Teams data.

Organizations relying solely on phishing filters that detect fake login pages remain vulnerable to this approach. The campaign demonstrates how threat actors adapt tactics when traditional methods become ineffective. Collaboration tools represent particularly effective lure themes because M365 users expect frequent sharing requests and cross-organizational communication.

Defenders should implement multi-factor authentication beyond device-code flows, restrict device-code usage policies, and monitor for suspicious device code redemption patterns. Security teams should alert users that legitimate Microsoft authentication requests never originate from external links or unsolicited messages. Monitoring for anomalous account activity following device login events provides critical detection coverage.

The DEBULL campaign highlights a broader trend. Attackers increasingly target