Device Code Phishing Campaigns Escalate, Leveraging Advanced PhaaS Platforms
A new wave of sophisticated device code phishing campaigns targeting **Microsoft 365** users has emerged, exploiting legitimate OAuth 2.0 flows to bypass multi-factor authentication (MFA). These attacks, observed by **ZeroBEC**, leverage collaboration-themed lures and advanced phishing-as-a-service (PhaaS) platforms like **DEBULL** and **ARToken** to achieve full account takeover and persistent access.
# Device Code Phishing Campaigns Escalate, Leveraging Advanced PhaaS Platforms
Cybersecurity researchers are sounding the alarm on a surge in device code phishing campaigns targeting **Microsoft 365** users. These highly effective attacks sidestep traditional password theft by exploiting a legitimate **OAuth 2.0** authentication mechanism, the Device Authorization Grant flow, to gain persistent account access and bypass multi-factor authentication (MFA).
## The Rise of Device Code Phishing
Between late June and early July 2026, **ZeroBEC** identified a campaign employing collaboration-themed lures to trick victims into authenticating a malicious device. Unlike conventional phishing, which relies on fake login pages, device code phishing manipulates users into interacting with a legitimate **Microsoft** device login experience while a backend broker generates and polls device-code tokens.
This activity shows strong parallels with a campaign **Microsoft** documented in February 2025, dubbed **Storm-2372**. Both campaigns utilize messaging or Teams-style lures, prompting unsuspecting users to enter an attacker-provided device code and their credentials, ultimately allowing threat actors to hijack accounts.

## Understanding the Attack Vector
Device code authentication is a legitimate **OAuth** flow designed for devices with limited interfaces, such as smart TVs or printers. Users are presented with a short code on the device and prompted to enter it into a web browser on a separate device to complete authentication.
Threat actors exploit this separation by initiating the authentication flow and then sharing the generated code with the target via a phishing lure. When the user enters the code, they unknowingly authorize the threat actor's session, granting them access to the account without requiring the user's password or bypassing MFA directly through brute force.
As **Huntress** notes, "Device code phishing doesn't hack its way in. It uses a legitimate authentication flow to walk right through the front door, with no password required, MFA bypassed, and session tokens handed straight to the attacker."
## Impact of Successful Attacks
Successful device code phishing attacks can lead to severe consequences, including:
* Full account takeover
* Theft of valuable information
* Fraud
* Business Email Compromise (BEC)
* Lateral movement within a compromised environment
* Disruptive attacks like ransomware
## Advanced Phishing-as-a-Service (PhaaS) Platforms
Modern device code phishing campaigns are becoming increasingly sophisticated, often powered by PhaaS offerings. **Proofpoint** observed in May 2026 that these new implementations dynamically generate codes when a user clicks a phishing link, enabling operators to purchase or create these attack chains through platforms like **EvilTokens** or **Tycoon**.
These campaigns also utilize account takeover (ATO) jumping, where a compromised email account is used to send phishing links to a broader contact list, initiating the **Microsoft** device authorization process.
## DEBULL: A Reusable Tooling Layer
**ZeroBEC**'s observed campaign involved payment and shared-folder pretexts in phishing emails. Victims were directed to a legitimate-but-compromised Croatian rental website, which acted as a device code orchestrator, initiating the **Microsoft** device code challenge chain.
Further analysis revealed that the threat actors are employing **Storm-2372**-style tradecraft through a reusable tooling layer called **DEBULL**. This platform is likely a PhaaS offering that integrates **GraphSpy** or a **GraphSpy**-derived workflow for **Microsoft 365** and **Entra** post-exploitation. **DEBULL** provides both campaign and operator-facing layers, allowing operators to define page names, edit HTML/CSS/JavaScript, and choose how lures are published, without altering the backend identity stack.
## ARToken: A Comprehensive BEC Operations Environment
Concurrently, **Cisco Talos** identified a fully-featured PhaaS operator panel branded **ARToken**, sharing infrastructure and operational patterns with the **EvilTokens** device code phishing platform. **ARToken** offers affiliates a comprehensive toolkit, exposing over 80 API endpoints for:
* Device code phishing
* Primary Refresh Token (PRT) persistence
* Email access
* Business Email Compromise (BEC) operations
* SharePoint exfiltration

Like **DEBULL**, **EvilTokens** enables attackers to weaponize harvested tokens to exfiltrate emails, files, and sensitive data from compromised **Microsoft** accounts, conduct reconnaissance via the **Microsoft Graph API**, and establish persistent access. Notably, **EvilTokens** also incorporates AI-powered features to automate and scale BEC workflows, such as sifting through emails to identify finance-related threads and drafting BEC emails.
**ARToken** extends this capability by functioning as a complete post-compromise toolkit, allowing operators to leverage captured access tokens for maintaining access, performing email operations, accessing **OneDrive** and **SharePoint**, and browsing victim **Microsoft 365** sessions outside the panel using a dedicated tool known as **ARTBrowser**.
"These features indicate the platform is more mature than a simple device code phishing kit - it is a complete BEC operations environment," stated **Talos** researcher Michael Kelley.
## Mitigating the Threat
Organizations and users must remain vigilant against these evolving threats. Key mitigation strategies include:
* **Enhanced User Education**: Train users to recognize the signs of device code phishing, emphasizing that they should never enter codes provided in unsolicited emails or messages into legitimate **Microsoft** login prompts.
* **Strong MFA Policies**: While device code phishing bypasses some MFA implementations, robust MFA solutions and conditional access policies can still provide layers of defense.
* **Regular Security Audits**: Continuously monitor **Microsoft 365** environments for suspicious activity, unauthorized device registrations, and unusual authentication patterns.
* **Endpoint Detection and Response (EDR)**: Implement EDR solutions to detect and respond to post-compromise activities like data exfiltration or lateral movement.
* **Email Security Gateways**: Deploy advanced email security solutions capable of detecting and blocking sophisticated phishing lures.
As threat actors continue to innovate, staying informed about new attack vectors and strengthening defensive postures is paramount for protecting sensitive data and maintaining organizational security.