A Microsoft 365 device code phishing campaign observed in late June and early July 2026 used collaboration-themed lures and a compromised Croatian rental website to trick victims into authorizing attacker sessions through Microsoft’s legitimate device login flow. ZeroBEC and Cisco Talos linked the activity to reusable tooling and PhaaS ecosystems including DEBULL, Storm-2372-style tradecraft, EvilTokens, ARToken, and Tycoon 2FA. #Microsoft365 #Storm2372 #DEBULL #EvilTokens #ARToken #Tycoon2FA
Keypoints
- The campaign abused Microsoft device code authentication instead of fake password pages.
- Victims were lured with payment and shared-folder pretexts to trigger the attack chain.
- The infrastructure used a compromised Croatian rental website as a device code orchestrator.
- ZeroBEC said the tooling likely involved DEBULL and GraphSpy-like post-exploitation workflows.
- Cisco Talos found ARToken, a PhaaS panel with APIs for PRT persistence, BEC, and SharePoint exfiltration.
Read More: https://thehackernews.com/2026/07/debull-tooling-abuses-microsoft-device.html