"The campaign did not depend on a fake Microsoft password page. It used a malicious collaboration-style lure to push users into the legitimate Microsoft device login experience," ZeroBEC reported, summarizing an attack pattern observed between late June and early July 2026.
How the Microsoft Device Authorization Grant flow is being weaponized
Attackers in the observed campaign abused the OAuth 2.0 Device Authorization Grant — the Microsoft device-login flow — to obtain session tokens without stealing passwords or directly defeating multifactor authentication. As the source material explains, device code authentication is intended for constrained devices: a short code is shown on a device and a user enters that code at a browser on another device to complete sign-in. Threat actors insert themselves into that separation by generating a device code, sharing it with a target via a phishing lure, and then polling Microsoft's authentication broker until the user completes the legitimate prompt. Huntress summarized the technique bluntly: "Device code phishing doesn't hack its way in... it uses a legitimate authentication flow to walk right through the front door, with no password required, MFA bypassed, and session tokens handed straight to the attacker."
DEBULL: a reusable broker and campaign-facing layer
ZeroBEC's analysis attributes the June–July activity to a reusable tooling layer called DEBULL that packages Storm-2372-style tradecraft into an operator-facing platform. The observed workflow used collaboration- and payment-themed lures to get victims to click URLs that redirected them to a legitimate-but-compromised Croatian rental website, which then acted as an orchestrator for the device-code challenge chain. ZeroBEC noted Turkish-language developer markers in the infrastructure but said those clues were insufficient for definitive attribution.
According to ZeroBEC, DEBULL exposes a campaign-facing interface where operators "can define a page name and slug, edit HTML, CSS, and JavaScript directly, then choose how the lure is published." Embedded templates included a Microsoft 365 device-code authentication page, an OAuth callback page, and modern landing pages. That separation — a changeable lure layer with a stable backend identity stack — is central to DEBULL's design: "The lure can be changed without changing the backend identity stack," ZeroBEC said.
Post-compromise tooling and the broader PhaaS ecosystem
The campaign appears to be part of a broader phishing-as-a-service (PhaaS) ecosystem that couples device-code brokers with post-compromise toolkits. ZeroBEC said DEBULL likely uses GraphSpy or GraphSpy-derived workflows for Microsoft 365 and Entra post-exploitation. Cisco Talos separately described a full-featured PhaaS operator panel branded ARToken that "shares infrastructure, API contracts, and operational patterns with the EvilTokens device code phishing platform." Talos said the ARToken panel exposes more than 80 API endpoints for device code phishing, Primary Refresh Token (PRT) persistence, email access, BEC operations, and SharePoint exfiltration, and provides operators with a React-based dashboard.
Talos researcher Michael Kelley emphasized that panels like ARToken function as complete post-compromise toolkits rather than simple kits. The source material likewise notes that EvilTokens and similar tooling enable operators to weaponize harvested tokens to exfiltrate email and files, query Microsoft Graph API, and establish persistence. Proofpoint added that device-code attack chains can be purchased via PhaaS offerings such as EvilTokens or Tycoon, while eSentire reported that Tycoon 2FA operators have repurposed their kit to serve as an OAuth device code phishing delivery framework.
What this means for technologists, affected enterprises, and end users
- Technologists and security teams: The observed decomposition — a changeable front-end lure with a reusable backend broker and GraphSpy-derived post-auth workflows — means detection and response may need to focus beyond fake login pages to the lifecycle of harvested OAuth tokens, PRT persistence, and Graph API activity tied to compromised sessions.
- Affected enterprises and procurement leaders: The availability of PhaaS offerings like EvilTokens, ARToken, and Tycoon 2FA — complete with dashboards and API endpoints for BEC and exfiltration — indicates that sophisticated post-compromise capabilities are being packaged and sold. That makes adversary capability more accessible to lower-skilled affiliates and raises operational risk around account takeover and data theft.
- End users and the general public: In the observed lures, victims were urged to complete legitimate device-login prompts — sometimes by clicking buttons, hyperlinks, embedded documents, or QR codes sent from compromised accounts — and thereby unwittingly granted attackers access. The attack uses a real microsoft.com/devicelogin flow rather than a fake password page, which complicates simple visual cues for users.
Conclusion
ZeroBEC's core assessment is concise: "The more useful conclusion is that Storm-2372-style identity tradecraft is now being packaged into reusable broker infrastructure." The record assembled in late June and early July 2026 shows device-code phishing moving from bespoke campaigns toward commodified tooling: changeable lures front a persistent backend that harvests legitimate tokens and feeds them into mature post-compromise panels. The reporting leaves a concrete open point — Turkish-language markers were present but not definitive — underscoring that, for now, the technical contours of the threat are clearer than the actors behind it.




