Skip to content
feed: live
>_ 0dayNews
microsoft
● Breaking

DEBULL Kit Runs M365 Device-Code Phishing, Storm-2372

ZeroBEC reports DEBULL — a device-code phishing kit repackaging Storm-2372 tradecraft — active against M365 tenants late June to early July. Block it.

airgap · Published · 3 min read

DEBULL — a phishing kit sold to affiliates — has been observed running Microsoft 365 device-code phishing between the last week of June and early July 2026, per ZeroBEC. Their assessment: strong overlap with the Storm-2372 tradecraft Microsoft Threat Intelligence attributed to a Russia-aligned actor in February 2025. Overlap, not confirmed same-actor attribution — treat DEBULL as a related tooling family until a vendor names it.

This is the second named device-code phishing kit in the past ten days. Cisco Talos disclosed ARToken / EvilTokens on 2026-07-04. Different kit, same OAuth flow, same defensive answer.

What’s confirmed

  • Active window. Late June 2026 through publication (2026-07-07), per ZeroBEC and The Hacker News. Confidence: high.
  • Mechanism. OAuth 2.0 Device Authorization Grant abuse. The victim is walked to the legitimate Microsoft device login page and prompted to enter a device code the affiliate operator generated in the victim’s tenant. No fake credential portal, no fake Microsoft login page. MFA does not stop this — the flow was designed for input-constrained devices and MFA challenges complete on the affiliate’s session once the code is entered. Confidence: high.
  • Lure. Collaboration-themed pretext, per ZeroBEC — not the credential-reset or Teams-notification pretext most password-phishing runs use. Confidence: high.
  • Infrastructure. Traffic observed routing through a compromised legitimate Croatian rental website acting as the device-code orchestrator. Confidence: as-reported.
  • Post-exploitation. GraphSpy or GraphSpy-derived tooling for Microsoft Graph reconnaissance, mailbox theft, and OneDrive theft after token capture. Confidence: as-reported.

What’s uncertain — treat accordingly

DEBULL vs Storm-2372. ZeroBEC frames DEBULL as a reusable tooling layer that repackages Storm-2372-style tradecraft. That is not the same as Microsoft or another primary source confirming the two clusters are the same actor. Both readings fit the reporting: DEBULL is a lower-skilled affiliate crew borrowing the tradecraft, or DEBULL is Storm-2372 running under rebranded tooling. Do not file this as Storm-2372 in your threat model until Microsoft or a major IR firm names it directly. Confidence: unconfirmed — treat accordingly.

Target list. Not disclosed in the ZeroBEC excerpt or the Hacker News writeup. Assume Microsoft 365 tenants broadly, particularly any tenant with device-code flow enabled and not gated by Conditional Access.

What to do

  • Block the OAuth device authorization grant in an Entra Conditional Access policy for populations that do not use device-code auth — most tenants have never intentionally enabled it, and Conditional Access can restrict authentication flows so device-code is off by default and allowed only for a named service-account or kiosk-device group. Microsoft’s Conditional Access authentication flows control documents the setting.
  • Alert on device-code sign-in successes in Entra sign-in logs — the successful token-issuance event carries authenticationProtocol == "deviceCode". Anything outside your pre-approved population is worth investigating on receipt, not the next morning.
  • On suspected compromise, revoke refresh tokens for the account before the affiliate’s session becomes persistent Microsoft Graph access.

If your tenant already gated device-code flow after the ARToken piece four days ago, you are done. If you did not — this is the second kit in ten days. It will not be the last.

Timeline

  • Feb 2025 — Microsoft Threat Intelligence publicly names Storm-2372 and links it to Russia-aligned device-code phishing.
  • 2026-07-04 — Cisco Talos discloses ARToken / EvilTokens PhaaS running the same OAuth flow.
  • Late June 2026 — earliest observed DEBULL activity, per ZeroBEC.
  • 2026-07-07 — ZeroBEC publishes the DEBULL / GraphSpy overlap analysis. The Hacker News covers it the same day.

Filed as observed campaign, assessed overlap. This piece gets an update if Microsoft Threat Intelligence, CISA, or a major IR firm names DEBULL directly.

Found this useful? Share it.