DEBULL Tooling Abuses Microsoft Device-Code Flow to Target M365 Accounts

A sophisticated phishing campaign has been observed exploiting Microsoft 365's device code flow to gain unauthorized access to user accounts. The campaign, which ran from the last week of June into early July, utilized collaboration-themed lures to trick victims into compromising their credentials.
The attackers employed a technique that abuses the legitimate device code authorization flow within Microsoft 365. This method allows users to authenticate to a service on a device that may not have an easy way to enter credentials, such as a smart TV or a gaming console, by visiting a specific URL and entering a code displayed on the device.

In this campaign, threat actors directed victims to a fake Microsoft login page after they clicked on a phishing link embedded in a lure email. These emails often mimicked legitimate communications, potentially related to shared documents or collaboration tools, to appear more convincing.
Once a victim entered their Microsoft 365 credentials on the fraudulent page, the attackers would use these stolen credentials to initiate the device code flow. This process would then prompt the victim to visit a legitimate Microsoft authorization URL and enter a code provided by the attacker.
By completing this second step, the victim inadvertently grants the attacker's application access to their Microsoft 365 account. This grants the attacker a broad range of permissions, enabling them to potentially access emails, files, contacts, and other sensitive data stored within the Microsoft 365 environment.

The effectiveness of this method lies in its ability to bypass traditional multi-factor authentication (MFA) for the initial login, as the device code flow is designed to be a convenient authentication method. While MFA can still be a layer of defense, the attackers are leveraging a legitimate Microsoft process to gain an initial foothold.
The campaign was identified by researchers at ZeroBEC, who observed its activity during the specified timeframe. The use of collaboration-themed lures suggests an attempt to blend in with typical business communications, increasing the likelihood of success.
Organizations using Microsoft 365 should remain vigilant against phishing attempts. Implementing robust security awareness training for employees is crucial, emphasizing the importance of scrutinizing email content, sender addresses, and any requests for credentials or authentication codes.
Additionally, reviewing and restricting the types of third-party applications that can access Microsoft 365 accounts can help mitigate the impact of such attacks. Regularly auditing application permissions and disabling unnecessary ones is a recommended security practice.





