Cybersecurity researchers have revealed a phishing campaign that is exploiting Microsoft's legitimate device authentication process to seize control of Microsoft 365 accounts, reflecting a broader shift in how cybercriminals are conducting identity-focused attacks. Rather than stealing passwords through counterfeit login pages, the operation manipulates victims into completing a genuine Microsoft authentication process, allowing attackers to obtain valid authentication tokens that grant direct access to compromised accounts.
The campaign, tracked by email security firm ZeroBEC, was observed between the final week of June and early July 2026. Investigators found that the attackers relied on collaboration-themed phishing lures that directed recipients to Microsoft's authentic device login experience instead of fraudulent credential harvesting websites. Behind the scenes, a backend broker generated Microsoft device authentication codes and continuously polled the authentication process until victims completed the sign-in sequence, enabling the attackers to capture valid authentication tokens without ever collecting passwords.
Researchers noted that the activity closely resembles techniques previously documented by Microsoft in its investigation of the threat cluster known as Storm-2372. That campaign, first disclosed in February 2025, used fake Microsoft Teams invitations and messaging-themed social engineering to persuade victims to enter attacker-generated device codes. Once authentication was completed, the attackers received valid access tokens that allowed them to take over Microsoft 365 accounts. Microsoft said Storm-2372 had targeted organizations across government, defense, healthcare, telecommunications, higher education, information technology, energy, and non-governmental sectors spanning Europe, North America, Africa, and the Middle East. The company also stated that the attacks abused legitimate authentication functionality rather than exploiting vulnerabilities in Microsoft products.
Although the latest campaign mirrors many of Storm-2372's tactics, ZeroBEC believes the operation is powered by a reusable phishing framework called DEBULL rather than the original threat actor itself. The researchers concluded that techniques once associated with advanced threat groups are now being packaged into reusable infrastructure that enables multiple operators to launch similar attacks with far less effort. This evolution reflects the continuing commercialization of identity-focused phishing operations, where sophisticated attack methods are increasingly offered through phishing-as-a-service platforms instead of being developed independently by individual threat actors.
At the center of the campaign is device code phishing, an attack technique that abuses the OAuth 2.0 Device Authorization Grant, a legitimate authentication mechanism designed for devices that cannot easily support traditional browser-based sign-ins. The workflow is commonly used by devices such as smart televisions, printers, conference room equipment, and other systems with limited input capabilities. Instead of entering credentials directly on those devices, users receive a short verification code that must be entered on another device through Microsoft's official authentication portal to complete the login process.
Threat actors exploit the separation between the device requesting authentication and the browser used to authorize it. Rather than creating counterfeit Microsoft login pages, attackers initiate their own device authentication session, obtain a legitimate verification code from Microsoft, and deliver that code to victims through convincing phishing emails. When recipients unknowingly enter the supplied code into Microsoft's authentic login page and complete the sign-in process, they authorize the attackers' session instead of their own, handing over valid authentication tokens that can be used to access Microsoft 365 resources. Because the victim is interacting with a genuine Microsoft service, traditional indicators of phishing, such as suspicious URLs or fake login portals, are largely absent.
Security researchers have increasingly warned that device code phishing represents a natural evolution of identity attacks. As organizations strengthened defenses against conventional credential phishing and adversary-in-the-middle attacks, threat actors shifted toward abusing trusted authentication workflows that require no password theft and can effectively circumvent multi-factor authentication protections by obtaining legitimate session tokens directly from users. Proofpoint recently reported a sharp increase in device code phishing activity during 2026, attributing the growth to publicly available criminal toolkits and the rapid expansion of phishing-as-a-service platforms that have made these techniques accessible to a wider range of cybercriminals.