Threat Research
DEBULL: Storm-2372-Style Microsoft Device-Code Phishing With GraphSpy Post-Exploitation
A ZeroBEC research blog on a reusable DEBULL PhaaS framework, Microsoft Authentication Broker phishing, Turkish code-lineage markers, and GraphSpy-driven post-authentication behavior.
By ZeroBEC Team · July 4, 2026 · 16 min read
During the last week of June 2026 and into early July, ZeroBEC identified and prevented a major Microsoft 365 device-code phishing campaign targeting multiple customers. The campaign did not depend on a fake Microsoft password page. It used a malicious collaboration-style lure to push users into the legitimate Microsoft device login experience, while a backend broker generated and polled Microsoft Authentication Broker device-code tokens.
Executive summary
The tradecraft has strong characteristics previously described in Microsoft Storm-2372 reporting: messaging or Teams-style lures, device-code authentication, Microsoft Authentication Broker usage, geo-plausible infrastructure, and device-registration relevant follow-on activity. We do not attribute the campaign directly to Storm-2372. We assess that the operator is using Storm-2372-style tradecraft through a reusable tooling layer we track as DEBULL.
Follow-up analysis exposed the backend behind the campaign. The same IP that created the attacker-side Microsoft Authentication Broker session also served a DEBULL login panel directly. A Shodan pivot returned the panel on 162.35.167[.]138, and direct access confirmed the same DEBULL user interface over HTTP and HTTPS. A phpinfo exposure then revealed the document root /var/www/token, a vhost hint debull[.]app:0, Apache 2.4.66 on Ubuntu, PHP 8.5.4, cURL, MySQL support, OPcache, and a compact PHP/Composer application. A later exposure of /user/email/deploy.php showed that DEBULL also includes a PhaaS-style deployment layer, with page templates, analytics, custom-domain publishing, and Cloudflare Workers deployment support.
After authentication, the tenant showed a device object named GraphSpy-Device. Based on that artifact, the Microsoft Authentication Broker flow, the attacker session handoff, and public GraphSpy project capabilities, we assess with high probability that DEBULL utilizes GraphSpy or a GraphSpy-derived workflow for Microsoft 365 and Entra post-exploitation.
Two Turkish-language developer markers were present across the stack: Code'u otomatik kopyala in the Team_Meets landing page and SAYAÇ (expiration) in the DEBULL header component. On their own, these markers do not prove operator nationality. Together, they are a meaningful code-lineage clue and raise confidence that at least part of the DEBULL codebase or its templates were authored or modified by a Turkish-speaking developer.
This blog reconstructs the campaign end to end and focuses on the DEBULL PhaaS framework behind it. We cover the Microsoft Authentication Broker device-code flow, the DEBULL direct-origin exposure, the phpinfo and Composer leaks, the Turkish code-lineage markers, the GraphSpy-Device post-authentication artifact, and the exposed CloakGuard deployment module. That module shows DEBULL's broader operator functionality: phishing page creation, reusable templates, Cloudflare Workers deployment, custom-domain publishing, analytics, Office/Gmail/IMAP profile routing, and indicators of chat, file-transfer, voice-message, Telegram, and email-notification capabilities.
The campaign we observed
The message that triggered the investigation used a payment and shared-folder pretext. The body was intentionally minimal: an external-warning banner, a single link to a Team_Meets path, a folder emoji, and a short sign-off. The attacker relied on the user's expectation of collaboration rather than on a detailed story.
The delivery path is important but not the center of the story. The message inherited legitimate mail-authentication signals and relay trust. The headers showed a Microsoft 365 sender path, DKIM pass for the sending domain, earlier SPF and DMARC pass in the chain, a later softfail caused by the evaluated relay hop, compauth pass, low/no spam disposition, and a negative threat-scanner verdict. The message contained no attachment to detonate.
Attack flow
1. Email lure reaches mailbox
-> payment/shared-folder theme
-> Team_Meets path
2. Victim opens compromised first-stage website
-> hxxps://trogir-rental[.]com/Team_Meets/
-> fake encrypted secure-message UI
3. Landing page calls DEBULL broker
-> hxxps://frenksv[.]sbs/user/email/office_poll.php?uid=4
-> action: get_auth_broker_device_code
-> tenant_id: common
-> user_id: 4
4. Victim is pushed to legitimate Microsoft device login
-> hxxps://www.microsoft[.]com/devicelogin
-> Microsoft Authentication Broker prompt
5. Landing page polls for token completion
-> action: poll_auth_broker_token
-> device_code: [redacted long device code]
6. Attacker-side session is created
-> 162.35.167[.]138
-> Microsoft Authentication Broker
-> 50199 waiting/interrupted event followed by success
7. Attacker continues the same attacker session elsewhere
-> 96.126.176[.]130
-> OfficeHome / One Outlook Web
8. Post-authentication tooling appears
-> GraphSpy-Device object observed
9. Victim is redirected to normal Outlook
-> hxxps://outlook.office[.]com/
The landing page was a device-code orchestrator
The first-stage page was hosted on a legitimate Croatian rental website with years of normal indexed business content. That strongly suggests a compromised or abused website rather than a newly registered phishing domain. The malicious path was isolated under /Team_Meets/.
The page did not contain a password field. It created a fake secure-message experience and then called a broker endpoint to generate a Microsoft device-code challenge. The key browser-visible operations were:
const API_BASE = 'https://frenksv[.]sbs/user/email/office_poll.php?uid=4';
POST body:
{
"action": "get_auth_broker_device_code",
"tenant_id": "common",
"user_id": 4
}
Polling body:
{
"action": "poll_auth_broker_token",
"device_code": "[redacted long device_code]",
"user_id": 4
}
window.open('https://www.microsoft.com/devicelogin', ...)
window.location.href = 'https://outlook.office.com/';
The user sees Microsoft, enters the code on Microsoft infrastructure, completes authentication, and believes the message expired or failed. The attacker receives the attacker-side session through the device-code flow.
Turkish code-lineage markers
The Turkish markers are not the only evidence in this case, but they are meaningful. We observed Turkish-language developer comments in two separate parts of the workflow.
- Team_Meets landing page:
Code'u otomatik kopyala, meaning copy the code automatically. - DEBULL header component:
SAYAÇ (expiration). Sayaç means counter or timer in Turkish.
One comment could be accidental or copied from an online snippet. Two independent Turkish artifacts across different components elevate the signal. We assess with low-to-medium confidence that at least part of the DEBULL codebase or its lure templates were authored or modified by a Turkish-speaking developer. This is a code-lineage marker, not direct attribution to a country or named actor.
Code'u otomatik kopyala.
SAYAÇ (expiration).DEBULL exposed: from campaign domain to direct origin
The biggest shift in the investigation came from infrastructure pivots. The broker domain frenksv[.]sbs was Cloudflare-fronted, but the direct origin was exposed. Shodan returned one relevant DEBULL result: 162.35.167[.]138:80, titled DEBULL - Login, running Apache httpd 2.4.66. That same IP appeared in Entra telemetry as the Microsoft Authentication Broker session source. Direct browsing to the IP returned the same DEBULL panel over both HTTP and HTTPS.
| Field | Value |
|---|---|
| Direct DEBULL host | 162.35.167[.]138 |
| Hostname | vps3459922[.]trouble-free[.]net |
| Panel title | DEBULL - Login |
| Observed server | Apache/2.4.66 (Ubuntu) |
| SSH banner | OpenSSH_10.2p1 Ubuntu-2ubuntu3.2 |
| Panel routes | /user/index.php, /admin/auth.php |
| Broker endpoint | /user/email/office_poll.php |
| Composer dependency | phpmailer/phpmailer v7.1.1 |
| Static CSS hash | B96DE9AB78411A112BDCC308163BCD7F88C215FF57BCB58282345C316794B305 |
| Cloudflare analytics token | cec0d6e71b404597a8e486238f0cc69a |
The exposed routes show a multi-role panel structure:
/admin/
index.php -> 302 to auth.php
users.php -> 302 to auth.php
settings.php -> 302 to auth.php
auth.php -> DEBULL Admin Panel
/user/
index.php -> DEBULL Secure Mail System
settings.php -> 302 to index.php
logout.php -> 302 to index.php
email/ -> module directory
includes/ -> user-level include directory
/includes/
config.php -> 200, empty output
db.php -> 200, empty output
telegram.php -> 200, empty output
utilities.php -> 200, empty output
/vendor/
directory listing blocked
/vendor/composer/installed.json exposed
/composer.json and /composer.lock exposed
/info.php
phpinfo exposed
The phpinfo exposure changed the infrastructure picture
The exposed phpinfo page confirmed that the DEBULL host is not a random reverse proxy. It is the actual PHP application server. The most important exposed values were:
| Field | Value |
|---|---|
| System | Linux vps3459922.trouble-free.net 7.0.0-15-generic x86_64 |
| PHP version | 8.5.4 |
| Server API | Apache 2 Handler |
| Apache version | Apache/2.4.66 (Ubuntu) |
| Hostname:Port | debull[.]app:0 |
| Document root | /var/www/token |
| Loaded php.ini | /etc/php/8.5/apache2/php.ini |
| cURL | Enabled, cURL 8.18.0, HTTP/2, SSL, ZSTD, Brotli |
| Database support | mysqli and pdo_mysql enabled |
| Mail support | sendmail path /usr/sbin/sendmail -t -i, SMTP localhost:25 |
| OPcache | Enabled, 35 cached scripts at collection time |
The vhost hint debull[.]app is especially important. It explains why a separate Workers.dev lure called the canonical backend at hxxps://debull[.]app/user/email/office_poll.php while the live customer case used frenksv[.]sbs as a Cloudflare-fronted campaign domain. The document root /var/www/token reinforces the assessment that this host was built for token brokering.
We are not publishing the full phpinfo output because it contains request metadata and session details from the research environment. The sanitized values above are enough to describe the infrastructure.
A compact PHP panel, not a heavy OAuth framework
The Composer metadata was also exposed. It showed only one installed dependency: phpmailer/phpmailer v7.1.1. There were no installed Microsoft Graph SDK, OAuth client, JWT library, or standard Azure OAuth provider packages.
composer.json:
{
"require": {
"phpmailer/phpmailer": "^7.1"
}
}
installed package:
phpmailer/phpmailer v7.1.1
source reference: 1bc1716a507a65e039d4ac9d9adebbbd0d346e15
package time: 2026-05-18T08:06:14+00:00
This implies the Microsoft device-code logic is probably custom PHP, likely implemented with cURL, or delegated to another local process. PHPMailer and the presence of sendmail support align with the Secure Mail System branding and the /user/email/ module path. The framework appears to combine lure operations, operator notifications, campaign management, and device-code token brokering.
The exposed /includes/telegram.php path returned an empty 200 response, which is typical of a server-side include file. Its name suggests Telegram notification support in the DEBULL framework, although the file did not expose its contents. In context with PHPMailer, sendmail support, the /user/email/ module, and later chat/voice UI artifacts, Telegram appears to be part of the operator-notification or live-workflow layer rather than a standalone lure component.
Panel capabilities visible in header.php
The exposed includes/header.php component added another layer of functionality. It imported admin.css, chat.css, jQuery, Bootstrap, Font Awesome, flag-icon-css, and RecordRTC 5.6.2. It also contained anti-debugging and anti-inspection logic: right-click blocking, shortcut blocking, F12 blocking, and a debugger timing loop that blanks the body if execution pauses.
RecordRTC and chat.css do not prove that this specific campaign used live chat or recording, but they show that DEBULL includes UI components for live operator interaction. The exposed assets define admin and user message styling, session lists, unread indicators, file previews, PDF/image/audio/document file handling, and voice-recording states. That fits the broader picture of a phishing operations panel rather than a single-purpose landing page.
Operator chat, voice, file, and notification functions
The additional CSS and header artifacts expand DEBULL's apparent capability set. The chat stylesheet includes classes for chat bubbles, admin chat sessions, user and admin messages, unread badges, file previews, image and PDF attachments, generic document attachments, audio messages, voice players, and a recording state for a record-voice control. The header component imports RecordRTC, which is commonly used to capture audio or video in the browser.
We did not observe the server-side chat endpoints being used in the customer case, so we do not claim that live chat or voice recording was active during this specific attack. The artifacts do show that the framework was designed to support more than static lure delivery: operators could plausibly guide victims, exchange files, capture or receive voice messages, and monitor active sessions from an admin console.
The notification layer also appears to be broader than email. Composer metadata exposed PHPMailer as the only installed dependency, while phpinfo showed sendmail support. In parallel, /includes/telegram.php returned an empty 200 response, which suggests a Telegram integration file was present server-side. Taken together, DEBULL looks like a PhaaS operator platform with email, Telegram, chat, file-transfer, and voice-message building blocks, even though not every capability was exercised in the observed Microsoft device-code campaign.
DEBULL CloakGuard: PhaaS deployment internals
The most revealing additional route was /user/email/deploy.php. The page appeared in a restricted state, but still rendered enough leaked client-side source code to expose the operator workflow behind DEBULL. The page title identified the module as Deploy Pages - CloakGuard, which we assess as the deployment and page-builder layer of the DEBULL PhaaS framework.
The exposed source showed a broader operator platform, not a single phishing page. The main navigation referenced dashboard, domains, redirect paths, secure hosting, video guides, email, deploy, marketplace, settings, and logout. The left-side deploy workflow exposed views for My Pages, Create Page, Templates, and Analytics. Several referenced pages returned 404 during our testing, suggesting the leaked route may belong to an older or partially deployed panel version, or that the live platform uses different endpoint names in production.
CloakGuard exposed the mechanics of page creation and delivery. Operators could create and manage deployed pages, browse base templates, preview pages, review analytics, and choose a deployment method. The page-builder fields included page name, URL slug, editable HTML, editable CSS, editable JavaScript, and deployment destination. The supported deployment methods included custom URL publishing and Cloudflare Workers deployment using Cloudflare Account ID, API Token, Zone ID, and Worker Name fields.
The built-in templates exposed in the client-side source included a Microsoft 365 device-code authentication page, an OAuth callback page for Google/Microsoft-style authentication flows, and a generic modern landing page. The device-code template contains the visible Microsoft 365 authentication card, the user-code placeholder, copy-code behavior, and a link to microsoft.com/devicelogin. This aligns with the Workers.dev Excel/Box lure we found later: the front-end lure can change quickly, while the DEBULL backend and office_poll.php broker remain stable.
The leaked JavaScript also exposed AJAX-driven backend operations through ajax/deploy_ajax.php. The visible actions included list_pages, save_page, get_page, delete_page, deploy_page, get_analytics, and get_cloudflare_connection. These actions show how operators load existing pages, edit a page by ID, save template content, deploy a page, retrieve analytics, and check Cloudflare connectivity. We did not interact with state-changing actions. The exposed client code alone was enough to show that DEBULL is a functional, but operationally immature, PhaaS platform with page management, analytics, hosting workflow, and Cloudflare deployment support.
| Visible component | What it reveals |
|---|---|
Deploy Pages - CloakGuard | Internal name for the DEBULL page deployment and lure-management module. |
domains.php, paths.php, hosting.php | Operator workflow for domains, redirect paths, and hosting management. |
| Custom HTML/CSS/JavaScript editors | Operators can customize lure content without changing the backend broker. |
| Custom URL deployment | Phishing pages can be published to operator-controlled infrastructure. |
| Cloudflare Workers deployment | The panel collects Cloudflare Account ID, API Token, Zone ID, and Worker Name to deploy pages to Workers. |
| Base templates | Device-code authentication page, OAuth callback page, and modern landing page. |
deploy_ajax.php actions | AJAX API used for saving, deploying, deleting, listing pages, and retrieving analytics. |
| Office/Gmail/IMAP profile routing | The broader panel appears to support mailbox and identity workflows beyond Microsoft 365 device-code phishing. |
The leaked source code exposed the operational layout of the CloakGuard module. The top navigation describes a broader PhaaS workflow: domain management, redirect paths, secure hosting, operator guides, email modules, deployment, marketplace, settings, and logout. The deploy sidebar then narrows the operator workflow into deployed pages, page creation, template selection, and analytics.
The navigation names are important because they describe DEBULL as a broader service platform: Domains for managing front-end destinations, Redirect Paths for routing victims through campaign-specific flows, Secure Hosting for deployment infrastructure, Video Guides for operator onboarding, Marketplace for templates or add-ons, Email and Extraction for mailbox-oriented workflows, and Settings for operator configuration. Several of these routes returned 404 during analysis, which suggests the exposed deploy.php page may be an older or partially broken interface, but the leaked source still reveals the intended product architecture.
The page-creation form shows why DEBULL should be treated as a PhaaS framework rather than a single phishing site. Operators can define a page name and slug, edit HTML, CSS, and JavaScript directly, then choose how the lure is published. The Cloudflare Workers option exposes fields for Cloudflare Account ID, API Token, Zone ID, and Worker Name, explaining how DEBULL can quickly move from a compromised website to Workers.dev infrastructure.
The same leaked code also exposed page-management operations. The edit and delete functions call deploy_ajax.php with page IDs, return JSON, and repopulate the page-builder fields with stored HTML, CSS, JavaScript, deployment URL, and Cloudflare configuration. This confirms that CloakGuard is not only rendering a static template. It is managing deployed pages as stored objects.
The embedded templates included a Microsoft 365 device-code authentication page, an OAuth callback page, and a modern landing page. The Microsoft 365 template is especially important because it exposes the exact building block used by the campaign: a user-code display, copy-code behavior, and a link to Microsoft device login.
CloakGuard / deploy.php exposed actions:
ajax/deploy_ajax.php?action=list_pages
ajax/deploy_ajax.php?action=save_page
ajax/deploy_ajax.php?action=get_page&page_id={pageId}
ajax/deploy_ajax.php?action=delete_page&page_id={pageId}
ajax/deploy_ajax.php?action=deploy_page&page_id={pageId}
ajax/deploy_ajax.php?action=get_analytics
ajax/deploy_ajax.php?action=get_cloudflare_connection
Built-in templates:
Device Code Auth Page
OAuth Callback Page
Modern Landing Page
Reusable lure templates: Workers.dev Excel/Box lure
A separate urlscan result surfaced another working lure template hosted on Cloudflare Workers: page-8-xls-vft-lvfsa.pefferarley83249[.]workers[.]dev. The page title and UI presented a Box / Excel secure-document access flow. The CloakGuard deployment module explains how this type of lure could be generated and hosted: DEBULL exposes page templates, custom HTML/CSS/JavaScript editors, and a Cloudflare Workers deployment option. The important point is not the theme. It called the same DEBULL broker pattern.
debull[.]app/user/email/office_poll.php.Workers.dev lure:
page-8-xls-vft-lvfsa.pefferarley83249[.]workers[.]dev
const API_BASE = 'https://debull[.]app/user/email/office_poll.php';
window.EMBEDDED_USER_ID = 4;
window.DEPLOYMENT_USER_ID = 4;
SESSION_KEY = 'box_secure_session';
POST action: get_auth_broker_device_code
POST action: poll_auth_broker_token
Microsoft login: https://www.microsoft.com/devicelogin
This proves DEBULL is reusable. The same backend can sit behind different lure templates: Team_Meets on a compromised website, Box/Excel on Workers.dev, and likely other customer-specific or campaign-specific templates. The front end can change quickly while the broker endpoint and post-authentication tooling stay stable.
Session handoff and GraphSpy post-exploitation
The Entra sign-in timeline showed three different roles. The victim session used the victim's normal browser and residential IP. The attacker-side Microsoft Authentication Broker session was created from 162.35.167[.]138. A later OfficeHome / One Outlook Web activity continued the same attacker session from 96.126.176[.]130.
Victim browser session:
IP: x.x.x.x
One Outlook Web
normal victim-side login activity
Attacker session creation:
162.35.167[.]138
Microsoft Authentication Broker
50199 waiting/interrupted event followed by success
same IP that exposed DEBULL panel
Attacker session continuation:
96.126.176[.]130
OfficeHome / One Outlook Web
same attacker session, different attacker egress
Post-authentication artifact:
GraphSpy-Device
This is not the attacker using the victim's device. It is the victim authorizing an attacker-controlled device-code session through the legitimate Microsoft flow. The attacker then reused that session from their own infrastructure. The local-looking geography reduced the chance of obvious impossible-travel detection.
GraphSpy is a public Entra ID and Microsoft 365 initial access and post-exploitation tool with device-code, token, Graph, Outlook, and device-registration oriented workflows. Based on the GraphSpy-Device object, the Microsoft Authentication Broker flow, and the session continuation pattern, we assess with high probability that DEBULL utilizes GraphSpy or a GraphSpy-derived post-exploitation workflow after token acquisition.
This is where the campaign moves beyond token theft. Microsoft has already described Storm-2372 shifting to Microsoft Authentication Broker because it can support refresh-token and device-registration relevant activity.
Attribution and tradecraft assessment
We are comfortable saying this is Storm-2372-style tradecraft. We are not comfortable saying this is Storm-2372. The technical overlap is significant, but DEBULL appears to be a reusable or private tooling layer that may be operated by a different actor or by multiple operators.
| Confidence | Assessment |
|---|---|
| High confidence | Microsoft OAuth device-code phishing through a backend broker. |
| High confidence | Microsoft Authentication Broker was used in the attacker-side flow. |
| High confidence | 162.35.167[.]138 is directly tied to the DEBULL panel and the Microsoft Authentication Broker session source. |
| High confidence | DEBULL is a deployed PHP PhaaS framework with admin, user, deployment, include, vendor, email, and token-broker components. |
| High confidence | DEBULL/CloakGuard supports reusable lure templates and deployment workflows, including Cloudflare Workers deployment. |
| High probability | DEBULL utilizes GraphSpy or a GraphSpy-derived post-exploitation workflow based on GraphSpy-Device and the broker/session behavior. |
| High confidence | The infrastructure uses geo-plausible data-center egress to reduce obvious impossible-travel signals. |
| Low-to-medium confidence | Turkish-language developer markers indicate Turkish code authorship or template modification lineage. |
| Low confidence | Direct attribution to Storm-2372 or to a Turkish actor. |
| Additional finding | The exposed deploy.php route shows page-builder, template, analytics, and Cloudflare deployment capabilities consistent with a PhaaS operator platform. |
The more useful conclusion is that Storm-2372-style identity tradecraft is now being packaged into reusable broker infrastructure. DEBULL provides the campaign-facing and operator-facing layer. GraphSpy or GraphSpy-derived code likely handles the post-authentication layer. The lure can be changed without changing the backend identity stack.
Detection opportunities
Detection should focus on the sequence rather than a single URL. The strongest indicators are Microsoft Authentication Broker sign-ins after a suspicious collaboration lure, DEBULL broker polling, session continuation from separate attacker infrastructure, and unexpected device objects.
// Microsoft Authentication Broker followed by Outlook/OfficeHome from another IP
let window = 15m;
let mab = SigninLogs
| where TimeGenerated > ago(14d)
| where AppDisplayName =~ "Microsoft Authentication Broker"
| extend SessionId_ = tostring(column_ifexists("SessionId", ""))
| project MabTime=TimeGenerated, UserPrincipalName, MabIp=IPAddress,
MabLocation=Location, MabSession=SessionId_, MabResult=ResultType,
MabUserAgent=UserAgent, MabCorrelation=CorrelationId;
let owa = SigninLogs
| where TimeGenerated > ago(14d)
| where AppDisplayName in ("OfficeHome", "One Outlook Web")
| where ResultType == 0
| extend SessionId_ = tostring(column_ifexists("SessionId", ""))
| project OwaTime=TimeGenerated, UserPrincipalName, OwaIp=IPAddress,
OwaLocation=Location, OwaSession=SessionId_, OwaApp=AppDisplayName,
OwaUserAgent=UserAgent, OwaCorrelation=CorrelationId;
mab
| join kind=inner owa on UserPrincipalName
| where OwaTime between (MabTime .. MabTime + window)
| where MabIp != OwaIp
| project MabTime, OwaTime, UserPrincipalName, MabIp, OwaIp,
MabLocation, OwaLocation, MabSession, OwaSession,
MabResult, OwaApp, MabUserAgent, OwaUserAgent
| order by MabTime desc
// Suspicious GraphSpy device registration artifact
AuditLogs
| where TimeGenerated > ago(30d)
| where TargetResources has_any ("GraphSpy-Device", "GraphSpy")
or OperationName has_any ("Register device", "Add device", "Add registered owner to device")
| project TimeGenerated, OperationName, Result, InitiatedBy, TargetResources
| order by TimeGenerated desc
// DEBULL and device-code URL pivots
UrlClickEvents
| where Timestamp > ago(14d)
| where Url has_any (
"microsoft.com/devicelogin",
"login.microsoftonline.com/common/oauth2/deviceauth",
"trogir-rental[.]com/Team_Meets",
"frenksv[.]sbs/user/email/office_poll.php",
"debull[.]app/user/email/office_poll.php"
)
or UrlChain has_any (
"microsoft.com/devicelogin",
"login.microsoftonline.com/common/oauth2/deviceauth",
"trogir-rental[.]com/Team_Meets",
"frenksv[.]sbs/user/email/office_poll.php",
"debull[.]app/user/email/office_poll.php"
)
| project Timestamp, AccountUpn, ActionType, Url, UrlChain, NetworkMessageId
| order by Timestamp desc
Response and mitigation
- Revoke sign-in sessions and refresh tokens for any user who entered a device code.
- Remove suspicious device objects, especially objects matching
GraphSpy-Deviceor similar naming. - Review Microsoft Authentication Broker sign-ins, device-code protocol events, OfficeHome/Outlook access, and session ID reuse across IPs.
- Review authentication methods, Windows Hello for Business artifacts, FIDO/passkey changes, OAuth grants, inbox rules, forwarding, sent items, and Graph API activity.
- Block or tightly restrict device-code flow through Conditional Access unless a documented business case requires it.
- Create detections for geo-plausible data-center access, not only impossible travel. In this case the attacker automatically used New York/New Jersey egress to reduce suspicion.
- Search for DEBULL and CloakGuard fingerprints:
admin/auth.php,user/email/office_poll.php,user/email/deploy.php,ajax/deploy_ajax.php,Deploy Pages - CloakGuard,/assets/css/chat.css, RecordRTC,/includes/telegram.php, the DEBULL panel text, the CSS hash, the Cloudflare analytics token, and the Turkish code markers.
Indicators and pivots
Domains and URLs:
hxxps://trogir-rental[.]com/Team_Meets/
hxxps://frenksv[.]sbs/user/email/office_poll.php?uid=4
hxxps://frenksv[.]sbs/user/index.php
hxxps://frenksv[.]sbs/admin/auth.php
hxxps://debull[.]app/user/email/office_poll.php
hxxps://page-8-xls-vft-lvfsa.pefferarley83249[.]workers[.]dev/
hxxps://www.microsoft[.]com/devicelogin
IPs:
162.35.167[.]138 DEBULL origin and Microsoft Authentication Broker source
96.126.176[.]130 attacker session continuation
49.12.61[.]13 first-stage compromised web host for trogir-rental[.]com
DEBULL panel artifacts:
DEBULL Secure Mail System
DEBULL Admin Panel
/user/index.php
/admin/auth.php
/user/email/office_poll.php
/includes/telegram.php
/vendor/composer/installed.json
/info.php
/var/www/token
debull[.]app:0
Apache/2.4.66 (Ubuntu)
PHP 8.5.4
phpmailer/phpmailer v7.1.1
DEBULL / CloakGuard PhaaS artifacts:
/user/email/deploy.php
/user/email/ajax/deploy_ajax.php?action=list_pages
/user/email/ajax/deploy_ajax.php?action=get_analytics
ajax/deploy_ajax.php?action=save_page
ajax/deploy_ajax.php?action=deploy_page&page_id=
Deploy Pages - CloakGuard
Device Code Auth Page
OAuth Callback Page
Modern Landing Page
Cloudflare Account ID
Cloudflare API Token
Cloudflare Zone ID
Worker Name
outlook.php?profile_id=
gmail.php?profile_id=
imap.php?profile_id=
/assets/css/chat.css
RecordRTC 5.6.2
Static fingerprints:
admin.css SHA256: B96DE9AB78411A112BDCC308163BCD7F88C215FF57BCB58282345C316794B305
Cloudflare Web Analytics token: cec0d6e71b404597a8e486238f0cc69a
Composer content-hash: c7173d6a700b02b111e51b703acd8c8e
Code-lineage markers:
Code'u otomatik kopyala
SAYAÇ (expiration)
Post-authentication artifact:
GraphSpy-Device
Why ZeroBEC is needed
This campaign reached the inbox because it was built to avoid static detection. The sender path carried enough trust to pass existing email defenses. The link used a legitimate compromised website as the first-stage landing page. The authentication happened on Microsoft infrastructure. The attacker infrastructure was geographically plausible. The post-authentication session looked like a normal Microsoft 365 workflow unless the full chain was reconstructed. The exposed DEBULL/CloakGuard deployment layer also shows why this type of campaign can evolve quickly: operators can change lures, templates, hosting, and Cloudflare Workers deployments while keeping the same behavioral backend pattern.
ZeroBEC detected the campaign because it did not evaluate the message as a collection of isolated indicators. The platform learned what normal looks like for each user and organization: who they usually interact with, what types of business requests are expected, what links are normal, and what authentication patterns fit the environment. In this case, the payment/shared-folder lure, the external collaboration link, the Microsoft device-code flow, and the post-click identity activity were abnormal as a sequence.
ZeroBEC quarantined the message and automatically produced the investigation trail: the original lure, landing page, DEBULL broker endpoint, Microsoft Authentication Broker activity, attacker IPs, session handoff, and GraphSpy-like device-registration artifact. That is the difference between blocking a suspicious email and understanding a campaign.
Ready to see how ZeroBEC protects your organization? Start free or contact us.