🟠 High  |  Source: The Hacker News


A phishing campaign dubbed DEBULL is exploiting Microsoft’s legitimate device code authentication flow to hijack Microsoft 365 accounts, without requiring a fake login page. Attackers use collaboration-themed lures to trick users into entering a device code on Microsoft’s own login portal, granting the attacker a valid access token. This technique is particularly dangerous because it bypasses traditional phishing indicators and can circumvent MFA.

Security Architect’s Take: Review and restrict device code flow (OAuth 2.0 device authorisation grant) in your Microsoft Entra ID Conditional Access policies — block or limit it to trusted, managed devices where possible. Additionally, enable sign-in risk policies and monitor for device code authentication events in your Entra ID sign-in logs, particularly from unfamiliar locations or user agents.

Original advisory: DEBULL Tooling Abuses Microsoft Device-Code Flow to Target M365 Accounts