DEBULL Tooling Abuses Microsoft Device-Code Flow to Target M365 Accounts
A new phishing campaign utilizes the "DEBULL" tooling to abuse Microsoft’s legitimate Device Code Flow, bypassing Multi-Factor Authentication (MFA) and stealing session tokens without requiring user passwords. The attack leverages reusable Phishing-as-a-Service (PhaaS) infrastructure, specifically integrating with GraphSpy-derived workflows for post-authentication exploitation of Microsoft 365 and Entra accounts. Threat actors employ social engineering lures, such as fake collaboration or paymen
Analysis
TL;DR
- A new phishing campaign utilizes the "DEBULL" tooling to abuse Microsoft’s legitimate Device Code Flow, bypassing Multi-Factor Authentication (MFA) and stealing session tokens without requiring user passwords.
- The attack leverages reusable Phishing-as-a-Service (PhaaS) infrastructure, specifically integrating with GraphSpy-derived workflows for post-authentication exploitation of Microsoft 365 and Entra accounts.
- Threat actors employ social engineering lures, such as fake collaboration or payment notifications, directing victims to compromised legitimate websites that orchestrate the device code authentication challenge.
- This tradecraft shows strong overlaps with the previously documented "Storm-2372" campaign, indicating a shift toward modularized, operator-friendly tools that decouple lure creation from backend identity theft mechanisms.
Why It Matters
This development highlights a critical evolution in identity-based attacks where threat actors are moving away from complex Adversary-in-the-Middle (AitM) setups toward abusing native, trusted authentication protocols like OAuth Device Authorization. For security practitioners, this underscores the urgent need to monitor for anomalous device code generation and non-standard client IDs, as traditional password-based defenses and standard MFA prompts are rendered ineffective by this token-stealing methodology.
Technical Details
- Mechanism: Attackers initiate a legitimate Microsoft Device Authorization Grant flow, generating a unique user code. Victims are tricked via phishing lures into entering this code and their credentials on a legitimate Microsoft login page, allowing the attacker’s backend broker to poll for and capture the resulting access/refresh tokens.
- Tooling (DEBULL): A reusable PhaaS platform that provides operator-facing controls for defining lures, HTML/CSS/JS templates, and publishing methods. It acts as the campaign-facing layer, while likely utilizing GraphSpy or similar derived code for the post-authentication layer to manage Microsoft 365 and Entra resources.
- Infrastructure: The campaign uses compromised legitimate websites (e.g., a Croatian rental site) as intermediaries to host the device code orchestrator. This allows for dynamic code generation upon link click, enabling persistent attack chains even if the initial email is viewed later.
- Post-Exploitation: Once tokens are harvested, attackers can perform Business Email Compromise (BEC), lateral movement, data exfiltration from SharePoint, and maintain persistent access via Primary Refresh Tokens (PRT), as seen in related platforms like ARToken and EvilTokens.
Industry Insight
- Shift to Modular PhaaS: The emergence of DEBULL indicates that identity theft capabilities are becoming highly commoditized and modular. Security teams must assume that any sophisticated phishing campaign may be powered by standardized, off-the-shelf broker infrastructure rather than custom-built malware.
- Monitoring Gaps: Traditional security monitoring often ignores legitimate OAuth flows. Organizations should implement strict Conditional Access policies that restrict device code authentication to known, approved applications and monitor for unusual spikes in device code requests or logins from unexpected client IDs.
- User Education Limitations: Since this attack uses legitimate Microsoft interfaces, user training alone is insufficient. Defense strategies must rely heavily on technical controls, such as blocking device code flows for high-risk users or enforcing certificate-based authentication where possible.
Disclaimer: The above content is generated by AI and is for reference only.