The Point: Attackers exploit the legitimate Microsoft authentication flow as an attack vector, bypassing traditional anti-phishing controls through social engineering lures.
A phishing campaign targeting Microsoft 365 accounts has been active since late June 2026, leveraging Microsoft’s legitimate device-code login flow via collaboration-themed lures. Security researchers from ZeroBEC document the attacks, which operate without fake login pages.
The campaign dubbed DEBULL targets Microsoft 365 users and employs collaboration-themed lures to prompt users to enter a device code on a legitimate Microsoft authentication page. Unlike conventional phishing attacks, no fraudulent login portal is hosted — instead, the genuine Microsoft authentication system is abused as an attack surface.
The attack vector works as follows: victims receive social engineering messages instructing them to enter a device code provided by the attackers. These codes are then entered on the authentic Microsoft device login page, while attackers simultaneously use a browser session with the stolen credentials to gain access to the target account. The abuse of the device-code flow — an authentication mechanism for devices without full-fledged browsers — allows attackers to bypass the normal user agent.
For CISOs, this attack type requires heightened attention to device-code flows and review of login attempts with unusual context. Classic indicators such as phishing URLs or suspicious forms are absent, causing traditional email filters and link-scanning tools to reach their limits. A combination of user training on legitimate authentication processes and additional device or behavioral rules on the identity and access management systems side becomes necessary.
Source: thehackernews.com · Published July 7, 2026
Lumi AI News — AI-assisted curation pursuant to Art. 50 EU AI Act. Paraphrasing and classification by Lumi News Pipeline v1.7.3.