🟠 High | Source: The Hacker News
A phishing campaign dubbed DEBULL is exploiting Microsoft’s legitimate device code authentication flow to hijack Microsoft 365 accounts, without requiring a fake login page. Attackers use collaboration-themed lures to trick users into entering a device code on Microsoft’s own login portal, granting the attacker a valid access token. This technique is particularly dangerous because it bypasses traditional phishing indicators and can circumvent MFA.
Security Architect’s Take: Review and restrict device code flow (OAuth 2.0 device authorisation grant) in your Microsoft Entra ID Conditional Access policies — block or limit it to trusted, managed devices where possible. Additionally, enable sign-in risk policies and monitor for device code authentication events in your Entra ID sign-in logs, particularly from unfamiliar locations or user agents.
Original advisory: DEBULL Tooling Abuses Microsoft Device-Code Flow to Target M365 Accounts