A Microsoft 365 device code phishing campaign has been observed leveraging collaboration-themed lures to take control of victim accounts between the last week of June 2026 and into early July, per findings from ZeroBEC.

"The campaign did not depend on a fake Microsoft password page. It used a malicious collaboration-style lure to push users into the legitimate Microsoft device login experience, while a backend broker generated and polled Microsoft Authentication Broker device-code tokens," the email security company said in a report shared with The Hacker News.

The activity is assessed to share "strong" overlaps with a campaign documented by Microsoft in February 2025 under the moniker Storm-2372, including the use of messaging or Teams-style lures to trick unsuspecting victims into entering an attacker-provided device code, along with their credentials, effectively allowing the threat actor to recover the token and hijack their account.

Despite these similarities, it's assessed that the threat actors are employing Storm-2372-style tradecraft through what has been described as a reusable tooling layer called DEBULL.

Device code phishing refers to an identity theft technique where attackers exploit a legitimate OAuth 2.0 authentication mechanism, specifically the Device Authorization Grant flow, to bypass multi-factor authentication (MFA) and gain persistent account access without having to steal user passwords.