DEBULL uses Microsoft device code flow phishing to seize M365 accounts
Source headline: DEBULL Tooling Abuses Microsoft Device-Code Flow to Target M365 Accounts
Intelligence Summary
ZeroBEC reports a Microsoft 365 device code phishing campaign active from late June 2026 into early July. The lures focus on Microsoft collaboration themes to persuade users to start an authentication flow. Instead of a fake password page, the campaign pushes victims into the legitimate Microsoft device login experience. Once approved, attackers can gain access to affected M365 accounts. Organizations should watch for abnormal device-login approvals and tighten MFA and conditional access policies.
Recommended Action
Review affected assets, schedule urgent remediation, and monitor related indicators.