Microsoft 365 OAuth device code phishing campaign
Campaign
Summary
Hide ▲
Show ▼
Microsoft 365 device-code phishing activity in late June 2026 into early July used collaboration-themed lures and the legitimate Microsoft device login flow to capture tokens and enable account takeover. ZeroBEC said the campaign used a compromised rental website as a device-code orchestrator, and the activity shows strong overlap with Storm-2372 tradecraft while using a reusable tooling layer called DEBULL. Cisco Talos separately described ARToken, a related PhaaS panel with 80+ API endpoints for device-code phishing, PRT persistence, BEC, and SharePoint exfiltration.
Related Happenings
O-UNC-066 / Pink Microsoft Entra passkey vishing campaign
Campaign
H score37
First: 08.07.2026 19:47
Last: 08.07.2026 19:47
Sources 1
About this happening:
The **O-UNC-066 / Pink** operation is using **voice-based phishing** to push **Microsoft 365** users into enrolling attacker-controlled **Entra passkeys**, creating a direct path...
O-UNC-066 / Pink Microsoft Entra passkey vishing campaign
CampaignAbout this happening: The **O-UNC-066 / Pink** operation is using **voice-based phishing** to push **Microsoft 365** users into enrolling attacker-controlled **Entra passkeys**, creating a direct path...
Microsoft Azure CLI password-spray campaign using ROPC
Campaign
H score24
First: 01.07.2026 08:46
Last: 01.07.2026 08:46
Sources 1
About this happening:
A **massive automated password-spray campaign** against **Microsoft Azure CLI** compromised **at least 78 accounts** across **64 organizations**, expanding access risk across clou...
Microsoft Azure CLI password-spray campaign using ROPC
CampaignAbout this happening: A **massive automated password-spray campaign** against **Microsoft Azure CLI** compromised **at least 78 accounts** across **64 organizations**, expanding access risk across clou...
TA4922 expanded European phishing-and-malware campaign
Campaign
H score40
First: 04.06.2026 00:45
Last: 04.06.2026 00:45
Sources 1
About this happening:
**TA4922** is a **China-linked** cybercrime campaign that has expanded from **East Asia** into **Europe and Africa**, including **the U.K., Germany, Italy, and South Africa**. The...
TA4922 expanded European phishing-and-malware campaign
CampaignAbout this happening: **TA4922** is a **China-linked** cybercrime campaign that has expanded from **East Asia** into **Europe and Africa**, including **the U.K., Germany, Italy, and South Africa**. The...
Kali365 Microsoft 365 device-code phishing campaign
Campaign
H score46
First: 25.05.2026 15:45
Last: 25.05.2026 15:45
Sources 1
About this happening:
A **Kali365** phishing campaign is targeting **Microsoft 365** environments worldwide with **device-code login lures**, putting accounts at risk of **token theft** and **MFA bypas...
Kali365 Microsoft 365 device-code phishing campaign
CampaignAbout this happening: A **Kali365** phishing campaign is targeting **Microsoft 365** environments worldwide with **device-code login lures**, putting accounts at risk of **token theft** and **MFA bypas...
Storm-2949 Microsoft 365 and Azure data-theft campaign
Campaign
H score33
First: 19.05.2026 22:35
Last: 19.05.2026 22:35
Sources 1
About this happening:
The **Storm-2949** campaign is targeting **Microsoft 365 and Azure production environments** to steal sensitive data, increasing the risk of privileged-account takeover and cloud...
Storm-2949 Microsoft 365 and Azure data-theft campaign
CampaignAbout this happening: The **Storm-2949** campaign is targeting **Microsoft 365 and Azure production environments** to steal sensitive data, increasing the risk of privileged-account takeover and cloud...
Timeline
-
19.12.2025 19:19 3 articles · 6mo ago
Microsoft 365 OAuth device code phishing campaign
Initial DisclosureThe earliest visible phase used **document-sharing lures** and localized company branding to push victims into Microsoft's device-code login flow. Entering the code there authorized attacker access to the account.
Show sources
- Microsoft 365 accounts targeted in wave of OAuth phishing attacks — www.bleepingcomputer.com — 19.12.2025 19:19
- Microsoft 365 accounts targeted in wave of OAuth phishing attacks — www.bleepingcomputer.com — 19.12.2025 19:19
- DEBULL Tooling Abuses Microsoft Device-Code Flow to Target M365 Accounts — thehackernews.com — 07.07.2026 18:14