DEBULL Tool Abuses Microsoft Device-Code Flow to Target M365 Accounts

Article Content
The Rise of Phishing-as-a-Service: How the DEBULL Tool Hijacks M365 Sessions Beyond the Reach of Standard 2FA
For years, cybersecurity professionals have championed multi-factor authentication (MFA) as the ultimate line of defense against credential harvesting. However, as defensive boundaries have solidified, cybercriminals have shifted their strategy from stealing passwords to hijacking the active session tokens that grant direct, long-term access to corporate environments. The discovery of the DEBULL tool in late June and early July of 2026 highlights this tactical evolution. Documented in a comprehensive threat report by email security firm ZeroBEC, this highly specialized Phishing-as-a-Service (PhaaS) platform exploits a legitimate, built-in Microsoft identity protocol—the OAuth 2.0 Device Authorization Grant—to bypass traditional two-factor authentication (2FA) and compromise enterprise Microsoft 365 (M365) accounts.
Traditional phishing campaigns typically rely on Adversary-in-the-Middle (AitM) infrastructures to spin up replica login pages. These pages act as proxies, capturing credentials and active session cookies in real-time as the victim authenticates. While AitM kits are highly effective, they are increasingly detected by modern secure email gateways and endpoint security solutions that flag anomalous domains. The DEBULL tool side-steps this detection vector entirely. Instead of routing the victim to a fraudulent, look-alike domain to harvest passwords, the platform manipulates the victim into logging into Microsoft’s authentic, trusted login experience, leveraging the victim’s own browser to authorize access for the attacker.
Understanding the Target: The OAuth 2.0 Device Authorization Grant Flow
To comprehend why the DEBULL tool is so effective, security teams must understand the mechanics of the Device Authorization Grant flow, commonly referred to as the device-code flow. This protocol extension (RFC 8628) was natively designed to assist input-constrained devices—such as smart TVs, printers, IoT hardware, and headless command-line interfaces (CLIs)—that lack a full web browser or physical keyboard. Rather than forcing users to type complex passwords on a television remote control, the device-code flow decouples the authentication process from the secondary device.
Under normal operations, the device-code authentication flow follows a predictable, highly secure series of steps:
- The Authorization Request: An unauthenticated application on an input-constrained device sends a POST request to Microsoft’s authorization endpoint:
https://login.microsoftonline.com/{tenant}/oauth2/v2.0/devicecode. This request includes the client identifier (client_id) of the application and the requested permission scope. - Code Generation: The Microsoft Identity Platform returns a JSON payload containing a unique, short-lived, eight-character alphanumeric
user_code, along with a verification URL (typicallyhttps://microsoft.com/devicelogin). - User Verification: The device displays the code and the URL to the user. The user then switches to a primary, secure device—such as a personal computer or smartphone—navigates to the official Microsoft page, enters the eight-character code, and completes their standard enterprise login, including any required 2FA challenges.
- Token Transfer: While the user is authenticating, the input-constrained device repeatedly polls Microsoft’s token broker. The moment the user successfully validates the code, the token broker returns active OAuth access tokens and refresh tokens to the polling device, establishing an authenticated session.
In a malicious scenario, the threat actor’s infrastructure simply acts as the “constrained device,” tricking an authenticated corporate user into entering the code on their behalf.
Dissecting the Attack Chain of the DEBULL Tool
The campaign orchestrating the DEBULL tool began intensifying during the last week of June 2026. The technical tradecraft deployed by the operators is remarkably sophisticated, designed to optimize click-through rates and bypass modern security filters through a carefully orchestrated four-stage pipeline:
Phase 1: Hyper-Personalized Lures and Account Takeover (ATO) Jumping
The attack initiates with targeted, collaboration-themed phishing emails designed to mimic routine Microsoft Teams notifications, shared-folder requests, or urgent payment pretexts. To ensure these emails bypass standard email security gateways, the threat actors frequently employ a technique known as Account Takeover (ATO) jumping. In this scenario, the attackers compromise an initial, benign corporate email account within a trusted supply chain and use its legitimate infrastructure to blast phishing emails to a broader list of corporate contacts. Because the email originates from a trusted internal domain or a recognized external partner, it easily evades basic sender policy framework (SPF) and domain keys identified mail (DKIM) filters.
Phase 2: The Device Code Orchestrator
When the target clicks the embedded link or button in the phishing email, they are not sent to a Microsoft page immediately. Instead, they are routed through a legitimate-but-compromised website—such as a compromised Croatian rental website observed by ZeroBEC—which acts as an active “device code orchestrator”. The moment the victim visits this orchestrator page, the backend server dynamically initiates a call to Microsoft’s /devicecode endpoint. This dynamic generation is a critical tactical upgrade; by generating the device code on the fly at the precise second the victim clicks the link, the attackers ensure that the code’s standard 15-minute expiration window never expires before the user acts
Written by
TempMail Ninja
Digital privacy and online security expert. Passionate about creating tools that protect users' identity on the internet.


