Find notable cyber news and cases, enriched with sources, timelines, and signals.

Microsoft 365 OAuth device code phishing campaign

Campaign
First reported
Last updated
Happening score
H score 32
2 unique sources, 2 articles

Summary

Hide ▲

Microsoft 365 device-code phishing activity in late June 2026 into early July used collaboration-themed lures and the legitimate Microsoft device login flow to capture tokens and enable account takeover. ZeroBEC said the campaign used a compromised rental website as a device-code orchestrator, and the activity shows strong overlap with Storm-2372 tradecraft while using a reusable tooling layer called DEBULL. Cisco Talos separately described ARToken, a related PhaaS panel with 80+ API endpoints for device-code phishing, PRT persistence, BEC, and SharePoint exfiltration.

Related Happenings

O-UNC-066 / Pink Microsoft Entra passkey vishing campaign

Campaign
H score37 First: 08.07.2026 19:47 Last: 08.07.2026 19:47 Sources 1

About this happening: The **O-UNC-066 / Pink** operation is using **voice-based phishing** to push **Microsoft 365** users into enrolling attacker-controlled **Entra passkeys**, creating a direct path...

Microsoft Azure CLI password-spray campaign using ROPC

Campaign
H score24 First: 01.07.2026 08:46 Last: 01.07.2026 08:46 Sources 1

About this happening: A **massive automated password-spray campaign** against **Microsoft Azure CLI** compromised **at least 78 accounts** across **64 organizations**, expanding access risk across clou...

TA4922 expanded European phishing-and-malware campaign

Campaign
H score40 First: 04.06.2026 00:45 Last: 04.06.2026 00:45 Sources 1

About this happening: **TA4922** is a **China-linked** cybercrime campaign that has expanded from **East Asia** into **Europe and Africa**, including **the U.K., Germany, Italy, and South Africa**. The...

Kali365 Microsoft 365 device-code phishing campaign

Campaign
H score46 First: 25.05.2026 15:45 Last: 25.05.2026 15:45 Sources 1

About this happening: A **Kali365** phishing campaign is targeting **Microsoft 365** environments worldwide with **device-code login lures**, putting accounts at risk of **token theft** and **MFA bypas...

Storm-2949 Microsoft 365 and Azure data-theft campaign

Campaign
H score33 First: 19.05.2026 22:35 Last: 19.05.2026 22:35 Sources 1

About this happening: The **Storm-2949** campaign is targeting **Microsoft 365 and Azure production environments** to steal sensitive data, increasing the risk of privileged-account takeover and cloud...

Timeline

  1. 19.12.2025 19:19 3 articles · 6mo ago

    Microsoft 365 OAuth device code phishing campaign

    Initial Disclosure

    The earliest visible phase used **document-sharing lures** and localized company branding to push victims into Microsoft's device-code login flow. Entering the code there authorized attacker access to the account.

    Show sources