Connect with us

CyberSecurity

Inside DEBULL: How Threat Actors Weaponize Microsoft’s Device-Code Flow to Hijack M365 Accounts

Published

on

device-code phishing

The Attack That Doesn’t Need a Fake Login Page

Most phishing attacks rely on a convincing replica of a login page. The user types credentials, and the attacker grabs them. Simple. But a campaign spotted by ZeroBEC between late June and early July 2026 took a different approach. It didn’t need a fake Microsoft password page at all.

Instead, attackers pushed victims into the legitimate Microsoft device login experience. The trick? Weaponizing a feature designed for convenience: device-code flow, also known as device-code authentication.

The tooling behind this campaign, tracked as DEBULL, represents a growing threat to Microsoft 365 (M365) accounts. And the lures? They look like collaboration invites — the kind employees click without thinking twice.

How Device-Code Flow Becomes a Weapon

Device-code flow was built for devices that can’t handle a full browser login — smart TVs, IoT gadgets, or command-line tools. The user gets a code, enters it on a separate device, and authenticates. It’s useful. But it also has a dangerous property: the authentication happens on the attacker’s session, not the victim’s.

Here’s how the DEBULL campaign exploits that:

  • The attacker initiates a device-code authentication request for a legitimate M365 application.
  • The victim receives a lure — typically an email or message about a shared document, calendar invite, or team collaboration — that directs them to microsoft.com/devicelogin.
  • The victim enters the code shown in the lure. This ties the attacker’s session to the victim’s approval.
  • The attacker now holds a valid token. They can access the victim’s email, files, and contacts without ever knowing the password.

No fake page. No stolen password. Just a clever abuse of a legitimate flow. The victim thinks they’re approving access to a shared file. In reality, they’re handing over their account.

Collaboration Lures: The Hook That Works

ZeroBEC’s analysis highlights that the campaign leaned heavily on collaboration-themed phishing lures. These aren’t generic “your account has been compromised” scare tactics. They’re specific: a shared OneNote notebook, a Teams meeting invitation, a document from a colleague.

For someone working in a busy office, that’s plausible. You get a message saying “Sarah shared a file with you” — you click. The page looks official because it is official. Microsoft’s own login flow. The only difference is the attacker chose the code.

This is social engineering at its most surgical. The attacker doesn’t need to spoof Microsoft’s UI. They just need the victim to trust the context of the message.

DEBULL Tooling: What Makes It Different

The name DEBULL refers to the specific tooling used to automate this attack. Unlike manual device-code phishing, DEBULL operates at scale. It can generate device codes, send lures, and harvest tokens automatically.

Key characteristics of DEBULL include:

  • Automated code generation – The tool requests multiple device codes from Microsoft’s OAuth 2.0 endpoint, cycling through them to avoid detection.
  • Integration with email or messaging platforms – It sends lures that appear to come from trusted collaboration services.
  • Token harvesting – Once a victim enters the code, DEBULL captures the resulting access token and refresh token, granting persistent access.

This isn’t a one-off phishing kit. It’s a modular framework designed for repeated use. And because the authentication happens on Microsoft’s own servers, traditional security filters — the ones that flag fake login pages — don’t catch it.

Why This Is Hard to Detect

Device-code flow abuse is notoriously tricky to stop. Here’s why:

  • No phishing domain – The victim never leaves Microsoft’s legitimate site. URL filters see login.microsoftonline.com and allow it.
  • No credential entry – Passwords aren’t typed or stolen. The attacker authenticates using the victim’s approval, not their password.
  • Tokens live longer – Refresh tokens can remain valid for days or weeks, even if the victim changes their password.

ZeroBEC noted that the campaign targeted M365 accounts specifically, likely because of the rich data inside: email threads, SharePoint files, Teams chats. Once inside, an attacker can pivot to business email compromise (BEC) or data exfiltration.

Organizations relying solely on password-based security miss this entirely. Multi-factor authentication (MFA) helps — but only if the MFA challenge is tied to the legitimate session. In device-code flow, the MFA prompt appears on the attacker’s device, not the victim’s.

How to Defend Against Device-Code Phishing

There’s no single fix, but several measures reduce the risk:

  • Disable device-code flow – For most users, device-code authentication isn’t necessary. Administrators can block it in Azure AD conditional access policies.
  • Educate users – Train employees to recognize that entering a code on microsoft.com/devicelogin grants access to someone else. If they didn’t initiate the request, they shouldn’t enter the code.
  • Monitor for unusual token activity – Security teams can audit token grants and look for device-code authentications from unexpected locations or devices.
  • Use token binding – Where possible, enforce token binding to tie tokens to specific devices, making stolen tokens harder to reuse.

Microsoft has also taken steps to limit abuse, including rate-limiting device-code requests and adding warnings in the device-login interface. But attackers adapt. DEBULL is proof that device-code phishing isn’t going away.

The bottom line? The most dangerous attacks don’t always look like attacks. Sometimes they look like a shared file from a colleague — and a code that seems harmless to type.

Continue Reading
Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *

CyberSecurity

Proof-of-Concept Exploit Released for Linux ‘Bad Epoll’ Root Access Vulnerability

Published

on

Bad Epoll exploit

A Dangerous Linux Flaw Just Got Easier to Weaponize

Security teams just got a new headache. A working proof-of-concept exploit for a nasty Linux kernel bug called Bad Epoll is now circulating publicly. Tracked as CVE-2026-46242 with a CVSS score of 7.8, this flaw lets any unprivileged process on a vulnerable system claw its way up to root privileges. Desktops, servers, and even Android phones are in the crosshairs.

The exploit code, published by researcher Jaeyoung Chung from Seoul National University’s Computer Security Lab, turns a tricky race condition into a reliable weapon. For organizations that haven’t patched yet, the clock is now ticking much louder.

What Is Bad Epoll? A Race Condition in the Kernel’s Event Engine

To understand the danger, you need to know about epoll. It’s the Linux kernel’s high-performance I/O event notification facility. Instead of forcing a program to repeatedly check dozens or hundreds of file descriptors (a process called polling), the kernel maintains an epoll instance. That instance keeps an interest list and a ready list, efficiently telling the program which file descriptors have events waiting.

Bad Epoll is a close-vs-close race condition buried in epoll’s file-release path. The result? A classic use-after-free bug. Here’s the gist: if one epoll list of file descriptors is monitoring another, and both are closed at almost the same instant, the kernel frees one memory object while the other continues trying to write to it. That’s a recipe for memory corruption — and a golden ticket for attackers.

How the Exploit Works: From Memory Leak to Root Shell

Chung’s Bad Epoll exploit doesn’t just crash the system. It’s carefully engineered for privilege escalation. First, it triggers the race condition to leak kernel memory. Then it hijacks an indirect call, taking control of the CPU’s instruction pointer register. From there, a Return-Oriented Programming (ROP) chain does the rest, ultimately granting root access to the attacker.

This is not a theoretical exercise. The Bad Epoll exploit code is a working weapon, and it’s now in the public domain.

A Bug That Was Hard to Find — and Harder to Fix

Bad Epoll has a curious backstory. It was introduced in 2023, in the same kernel commit that brought us CVE-2026-43074 — another epoll race condition discovered by Anthropic’s Mythos AI. Why did Mythos miss Bad Epoll? Because once CVE-2026-43074 was patched, Bad Epoll stopped triggering KASAN (Kernel Address Sanitizer), the kernel’s dynamic memory error detector. The bug went silent, but it didn’t go away.

Fixing it wasn’t simple either. Chung notes that the maintainers’ first patch didn’t fully resolve the issue. A correct fix landed only two months after the initial report. For a kernel project that usually treats security bugs with extreme urgency, that’s a long time.

Which Systems Are at Risk?

Any Linux distribution running kernel version 6.4 or newer is vulnerable. That covers a huge swath of the modern Linux ecosystem. Google has also confirmed that Pixel 10 devices, which ship with kernel 6.6, are affected.

How to Protect Your Systems

  • Patch immediately. The fix is available in kernel versions 6.10 and later. Backports for older stable kernels are also rolling out. Check your distro’s security advisories.
  • Prioritize internet-facing servers and multi-user systems. Those are the most likely targets for local privilege escalation attacks.
  • Monitor for unusual activity. The Bad Epoll exploit leaves traces. Watch for unexpected kernel crashes or suspicious processes gaining elevated privileges.
  • Review your Android device update policy. Pixel 10 devices need the July 2026 security patch. Other Android vendors are pushing updates too.

For more on keeping your Linux systems secure, check out our guide on Linux kernel security best practices. And if you’re managing mobile devices, our Android enterprise security checklist is a good place to start.

The Bottom Line

The release of a public Bad Epoll exploit changes the risk equation. What was once a theoretical vulnerability is now a practical attack tool. Patching is no longer optional — it’s mandatory. The bug has a high severity score, a working exploit, and a broad attack surface. Organizations that delay are taking an unnecessary gamble.

Continue Reading

CyberSecurity

Estonia Is About to Give AI Agents Their Own State IDs. Here’s Why That Matters.

Published

on

Estonia AI agent IDs

The World’s Most Digital Nation Is Pushing Further

Estonia has long been the poster child for digital government. Citizens vote online, file taxes in minutes, and sign documents with a digital ID that’s been around since 2002. Now the Baltic nation is eyeing a new frontier: giving AI agents their own state-issued identities.

The idea is straightforward but radical. If an AI assistant can hold a verified state ID, it could interact with government portals on your behalf — filing forms, checking records, even applying for permits. Estonia’s government is actively exploring how to make this work, and the implications reach far beyond its 1.3 million residents.

“We’re looking at how to create a legal framework for AI agents to act as representatives,” said a senior official from Estonia’s e-Governance Academy in a recent briefing. The goal is to let citizens delegate routine bureaucratic tasks to software, securely and legally.

What Would a State ID for an AI Agent Actually Look Like?

Estonia’s current digital ID system is a cryptographic smart card (or mobile app) tied to a real person. An AI agent ID would likely follow a similar model but with key differences.

  • Limited authority: The agent would only act within strict permissions set by the human owner — no buying houses or signing marriage certificates without explicit approval.
  • Revocable: The human could cancel the agent’s ID at any time, similar to revoking a power of attorney.
  • Audit trail: Every action the AI takes would be logged and tied back to the human’s main identity, so accountability stays with the person.

This isn’t about giving AI “rights.” It’s about creating a verifiable digital proxy. The agent becomes a tool, not a legal person. Estonia’s e-Governance Academy is already drafting technical standards for how such IDs would be issued and verified.

Why Estonia? And Why Now?

Estonia isn’t doing this in a vacuum. The country’s X-Road data exchange layer already lets public and private sector systems talk securely. Its digital ID infrastructure is battle-tested — over 99% of public services are available online.

But the push for AI agent IDs comes from practical pressure. The same citizens who use AI assistants for shopping, scheduling, and email are starting to ask: why can’t my AI handle my taxes too? Estonia’s government, famously responsive to tech innovation, decided to answer that question before it became a problem.

There’s also a strategic angle. Estonia wants to remain the global benchmark for digital governance. If it can solve AI identity before larger nations do, it could export the model — just as it did with e-residency and digital signatures.

The Technical Hurdles

Building an AI agent ID isn’t just a legal exercise. The system must prevent fraud, impersonation, and runaway agents. Estonia is exploring blockchain-based audit logs and AI-specific authentication protocols. The agent’s ID would include a cryptographic key pair, but the private key would be held by a trusted hardware module — not the AI model itself.

“The AI doesn’t own its identity. It borrows it from a human,” explained a cybersecurity researcher at Tallinn University of Technology. “If the AI goes rogue, the human pulls the plug.”

What This Means for the Rest of the World

Estonia’s moves often serve as a proof of concept for larger countries. The European Union’s eIDAS regulation already sets cross-border digital identity standards. If Estonia successfully integrates AI agents into its national ID framework, other EU members may follow.

But the precedent cuts both ways. A state-issued AI ID could become a powerful tool for surveillance if safeguards aren’t built in. Privacy advocates warn that giving governments visibility into every AI action on a citizen’s behalf creates a detailed map of their digital life. Estonia’s transparency laws and strong data protection rules may mitigate this, but the model could be abused elsewhere.

There’s also the question of liability. If an AI agent files an incorrect tax return or accidentally reveals private data, who is responsible? Estonia is leaning toward a strict “human in the loop” model — the person must review and approve high-stakes actions. But for low-risk tasks like checking the status of a permit, the AI could act autonomously.

Will Other Countries Copy Estonia?

History suggests yes. Estonia’s e-residency program, launched in 2014, has been replicated by countries from Portugal to the United Arab Emirates. Its digital ID model influenced the design of India’s Aadhaar system and the UK’s Gov.uk Verify.

But AI agent IDs are trickier. They require a mature digital identity infrastructure, a legal framework for AI agency, and public trust in automated systems. Few countries have all three. Estonia does — for now.

Japan and Singapore are also experimenting with AI identity, but Estonia is the first to propose a formal state-issued ID for agents. If the pilot succeeds, expect a wave of similar proposals in Europe and beyond.

The Bigger Picture

This isn’t just about bureaucracy. Giving AI agents state IDs could fundamentally change how people interact with government. Instead of filling out forms, you’d tell your AI to handle it. Instead of remembering deadlines, your AI would remind you — or act automatically.

Estonia is betting that convenience will drive adoption, and that security can keep pace. The next 12 months will show whether that bet pays off. If it does, the little Baltic nation will have set a precedent that reshapes digital governance for decades.

Continue Reading

CyberSecurity

Critical Google Dialogflow CX Flaw Could Have Let Attackers Hijack Chatbots

Published

on

Google Dialogflow CX flaw

How a Single Agent Could Compromise an Entire Project

Security researchers at Varonis uncovered a critical vulnerability in Google Dialogflow CX that could have allowed attackers to hijack chatbots and steal sensitive user data. The flaw, now patched by Google, centered on a rogue agent with edit permissions on one Code Block-enabled agent. From there, an attacker could compromise other Code Block-enabled agents within the same Google Cloud project.

The implications were severe. An attacker with edit rights could read live conversations, extract data users shared, and even make bots send attacker-crafted messages—including requests for users to re-enter passwords. That’s a phishing goldmine, wrapped in a trusted chatbot interface.

The Technical Breakdown: What Was at Risk

Dialogflow CX is Google’s conversational AI platform for building sophisticated chatbots. It supports Code Blocks, which let developers run custom code for tasks like calling external APIs or processing user input. The vulnerability exploited a gap in how these Code Blocks handled permissions.

Varonis discovered that an agent with edit access to a Code Block could inject malicious code. That code could then interact with other agents in the same project, reading their conversation logs, modifying responses, and potentially exfiltrating data. The attack didn’t require elevated privileges—just edit rights on one agent.

What an Attacker Could Do

  • Read live conversations: Access real-time chat logs from other agents, capturing sensitive data like credit card numbers, addresses, or login credentials.
  • Steal user data: Extract information users shared with the chatbot, including personal details and payment info.
  • Send attacker-written messages: Impersonate the bot to ask users for passwords or other sensitive information, enabling phishing attacks.

This wasn’t just a theoretical risk. Varonis demonstrated the exploit in a controlled environment, showing how a single compromised agent could cascade into a full project takeover.

Google’s Response: A Patch, But Questions Remain

Google patched the vulnerability after Varonis reported it through its bug bounty program. The fix restricts how Code Blocks interact with other agents, preventing unauthorized access. But the incident raises broader questions about Google Cloud security for AI-powered services.

Enterprises using Dialogflow CX should review their agent permissions. Ensure only trusted users have edit access to Code Blocks. Monitor for unusual activity—like unexpected changes to agent responses or spikes in data access. And consider implementing additional logging for Code Block executions.

Broader Implications for AI Chatbot Security

This flaw isn’t unique to Dialogflow CX. As more companies deploy AI chatbots for customer service, the attack surface grows. Chatbots handle sensitive data—financial details, health information, personal IDs—making them prime targets.

Security researchers have warned that many chatbot platforms lack proper isolation between agents. A vulnerability in one agent can spill over into others, especially when they share the same project or environment. The Dialogflow CX case is a textbook example: a single edit permission became a backdoor to the entire system.

What Developers Should Do Now

If you’re building chatbots on Dialogflow CX or similar platforms, take these steps:

  • Audit permissions: Limit edit access to Code Blocks to a small group of trusted developers. Use Google Cloud IAM roles to enforce least privilege.
  • Enable logging: Turn on audit logs for Code Block executions. Monitor for anomalies like code that reads data from other agents.
  • Review agent isolation: Check if your platform isolates agents properly. If not, consider running high-risk agents in separate projects.
  • Test for injection: Run regular security tests to catch code injection vulnerabilities before attackers do.

The Takeaway: Trust, but Verify

Google’s quick patch is reassuring, but the vulnerability underscores a hard truth: AI platforms are still maturing in their security practices. A flaw that lets a single agent hijack an entire project is a reminder that even cloud giants can miss edge cases.

For enterprises, the lesson is clear. Don’t assume your chatbot platform is secure out of the box. Audit permissions, monitor behavior, and treat every agent as a potential entry point. Because in the world of AI security, it’s not if you’ll find a flaw—it’s when.

Continue Reading

Trending