The bottom line: Attackers abuse Microsoft’s device code flow through phishing lures to exploit legitimate authentication processes and compromise M365 accounts.
A phishing campaign targets Microsoft 365 accounts by directing users through fake collaboration invitations to Microsoft device code authentication. The attackers use no fake login form, but instead abuse the genuine Microsoft sign-in procedure.
Between late June and early July 2026, the tooling series known as DEBULL conducted a Microsoft 365 phishing campaign, as documented by ZeroBEC. The attackers relied on collaboration lures – that is, fake invitations to collaboration projects or similar scenarios.
What is distinctive about this campaign is the methodology: instead of relying on traditional phishing pages with fake Microsoft password entry fields, the attackers directed victims directly into the genuine Microsoft device login flow. The device code authentication procedure is a legitimate Microsoft mechanism in which users can sign in via a browser code. The attack thus exploits a genuine authentication method to pressure users to voluntarily disclose their credentials or consent to access.
For security practitioners, this is relevant because classic technical warning systems based on page-level indicators (phishing URLs, domain spoofing) may not catch this. The genuine Microsoft infrastructure is abused as a lure, meaning that the communication carries Microsoft’s standard trust indicators. Security operations should monitor unexpected device code requests and subsequent authentication patterns in M365 audit logs.
Source: thehackernews.com · Published 7 July 2026
Lumi AI News — AI-assisted curation in accordance with Art. 50 EU AI Act. Paraphrase and classification by Lumi News Pipeline v1.7.3.