DEBULL Tooling Abuses Microsoft Device-Code Flow to Target M365 Accounts

Summary

A new phishing campaign, dubbed DEBULL tooling, is targeting Microsoft 365 accounts by abusing the legitimate Microsoft device-code flow. Attackers are using collaboration-themed lures to trick users into granting access to their accounts through the official Microsoft login process, bypassing traditional credential harvesting methods.

IFF Assessment

FOE

This campaign represents a sophisticated phishing technique that bypasses common defenses by leveraging a legitimate authentication flow, making it harder for defenders to detect and block.

Defender Context

Defenders should be aware of this new technique that abuses the Microsoft device-code flow for account takeover. Training users to recognize sophisticated social engineering tactics and scrutinize login prompts, even when they appear legitimate, is crucial. Monitoring for unusual device registrations or permissions granted to unfamiliar applications within Microsoft 365 environments could also aid in early detection.

Read Full Story →