DEBULL: This Phishing Kit Hijacks Microsoft 365 Device Code Flow to Bypass MFA
At the end of June 2026, a new phishing campaign targeted Microsoft 365 accounts without trying to steal a single password. Detected by ZeroBEC researchers, it relies on DEBULL, a reusable component that abuses Microsoft’s Device Code authentication flow to bypass MFA. A technique that attackers are increasingly repurposing.
Table of Contents
A real Microsoft page, a fake consent prompt
There is no fake login page here. That is precisely what makes this attack so formidable and different from what is usually seen.
The device code flow is a legitimate OAuth 2.0 mechanism designed for devices without a keyboard or browser, such as a smart TV or a printer: a short code is displayed, and the user enters it from another device to validate the sign-in. In a device code phishing attack, the attacker generates this code and sends it to the target through a lure. When the victim enters it on Microsoft’s actual authentication page, they are in fact authorizing the attacker’s session. The result: no password stolen, MFA bypassed, and as a bonus, session tokens delivered to the attacker.
According to ZeroBEC researchers, the campaign observed between the last week of June and the beginning of July 2026 relies on classic pretexts, such as a shared document to review. In this campaign, the attackers rely on the domain of a legitimate but compromised Croatian rental website. It is used to trigger the code request from Microsoft.
"The campaign did not rely on a fake Microsoft password page. It used a malicious lure themed around collaboration to push users toward Microsoft’s legitimate sign-in experience, while a broker running in the background generated and polled Microsoft Authentication Broker device-code tokens.", ZeroBEC explains in its report.

The researchers note strong similarities with the campaign documented by Microsoft in February 2025 under the name Storm-2372. Turkish-language markers were found in the code, but that is far too little to attribute the campaign to that group with certainty.
Device code phishing is becoming a shelf-ready product
Now let’s talk about DEBULL and the mechanics emerging behind it. According to ZeroBEC, this would be a Phishing-as-a-Service (PhaaS) platform, relying on GraphSpy or a derivative of that tool for post-exploitation on Microsoft 365 and Entra. The operators directly edit the HTML, CSS, and JavaScript of their trap page using provided templates (device-code authentication page, OAuth reminder page, home page).
DEBULL is not an isolated case. Cisco Talos, for its part, detailed ARToken, an administrative PhaaS panel sharing infrastructure and API endpoints with the EvilTokens platform. Talos cites more than 80 API endpoints covering device code phishing, persistence via PRT, email access, BEC operations, and exfiltration from SharePoint, all controlled from a dashboard.
"These features indicate that the platform is more mature than a simple device code phishing kit. It is a full BEC operations environment.", says Michael Kelley, researcher at Cisco Talos.
Even the Tycoon 2FA kit, which resurfaced after a law enforcement operation, adopted the technique. If you read me regularly, you know the pattern: back in May 2026, I had already covered the Kali365 kit, which compromises Microsoft 365 accounts without stealing passwords, to the point of triggering a FBI alert. Device code is not new in Microsoft environments, but it is increasingly being abused by attackers.
What administrators can lock down
Since July 1, 2026, new Entra tenants block device code flow through default security settings (see the note on this page). A Microsoft-managed Conditional Access policy also exists and is applied to organizations that have not used this flow in the last 25 days. But older tenants, or tenants whose policy has remained in audit mode, are still exposed.
- Verify the actual status of the policy used to block device code flow, rather than assuming it is enabled.
- Audit legitimate usage in sign-in logs before enforcing a broad block (a meeting room, etc.).
- Exclude emergency access accounts, as well as Teams device resource accounts if needed.
- Deploy phishing-resistant MFA, such as Entra passkeys on Windows.
One last incident response reflex: stolen tokens survive a password change. Sessions must be revoked and tokens invalidated. Binding each access to a trusted device, as proposed by the recently introduced Specops Device Trust solution, also helps limit the exploitation of a hijacked session.


