← Back to Blog

Threat Research

DEBULL: Storm-2372-Style Microsoft Device-Code Phishing With GraphSpy Post-Exploitation

A ZeroBEC research blog on a reusable DEBULL PhaaS framework, Microsoft Authentication Broker phishing, Turkish code-lineage markers, and GraphSpy-driven post-authentication behavior.

By ZeroBEC Team · July 4, 2026 · 16 min read

DEBULL: Storm-2372-Style Microsoft Device-Code Phishing With GraphSpy Post-Exploitation

During the last week of June 2026 and into early July, ZeroBEC identified and prevented a major Microsoft 365 device-code phishing campaign targeting multiple customers. The campaign did not depend on a fake Microsoft password page. It used a malicious collaboration-style lure to push users into the legitimate Microsoft device login experience, while a backend broker generated and polled Microsoft Authentication Broker device-code tokens.

Executive summary

The tradecraft has strong characteristics previously described in Microsoft Storm-2372 reporting: messaging or Teams-style lures, device-code authentication, Microsoft Authentication Broker usage, geo-plausible infrastructure, and device-registration relevant follow-on activity. We do not attribute the campaign directly to Storm-2372. We assess that the operator is using Storm-2372-style tradecraft through a reusable tooling layer we track as DEBULL.

Follow-up analysis exposed the backend behind the campaign. The same IP that created the attacker-side Microsoft Authentication Broker session also served a DEBULL login panel directly. A Shodan pivot returned the panel on 162.35.167[.]138, and direct access confirmed the same DEBULL user interface over HTTP and HTTPS. A phpinfo exposure then revealed the document root /var/www/token, a vhost hint debull[.]app:0, Apache 2.4.66 on Ubuntu, PHP 8.5.4, cURL, MySQL support, OPcache, and a compact PHP/Composer application. A later exposure of /user/email/deploy.php showed that DEBULL also includes a PhaaS-style deployment layer, with page templates, analytics, custom-domain publishing, and Cloudflare Workers deployment support.

After authentication, the tenant showed a device object named GraphSpy-Device. Based on that artifact, the Microsoft Authentication Broker flow, the attacker session handoff, and public GraphSpy project capabilities, we assess with high probability that DEBULL utilizes GraphSpy or a GraphSpy-derived workflow for Microsoft 365 and Entra post-exploitation.

Two Turkish-language developer markers were present across the stack: Code'u otomatik kopyala in the Team_Meets landing page and SAYAÇ (expiration) in the DEBULL header component. On their own, these markers do not prove operator nationality. Together, they are a meaningful code-lineage clue and raise confidence that at least part of the DEBULL codebase or its templates were authored or modified by a Turkish-speaking developer.

This blog reconstructs the campaign end to end and focuses on the DEBULL PhaaS framework behind it. We cover the Microsoft Authentication Broker device-code flow, the DEBULL direct-origin exposure, the phpinfo and Composer leaks, the Turkish code-lineage markers, the GraphSpy-Device post-authentication artifact, and the exposed CloakGuard deployment module. That module shows DEBULL's broader operator functionality: phishing page creation, reusable templates, Cloudflare Workers deployment, custom-domain publishing, analytics, Office/Gmail/IMAP profile routing, and indicators of chat, file-transfer, voice-message, Telegram, and email-notification capabilities.

Sanitized ZeroBEC finding view showing the payment/shared-folder email lure with a Team_Meets URL path, external warning banner, and short sign-off
Figure 1:Sanitized ZeroBEC finding view. The lure used a payment/shared-folder theme and a Team_Meets URL path.

The campaign we observed

The message that triggered the investigation used a payment and shared-folder pretext. The body was intentionally minimal: an external-warning banner, a single link to a Team_Meets path, a folder emoji, and a short sign-off. The attacker relied on the user's expectation of collaboration rather than on a detailed story.

The delivery path is important but not the center of the story. The message inherited legitimate mail-authentication signals and relay trust. The headers showed a Microsoft 365 sender path, DKIM pass for the sending domain, earlier SPF and DMARC pass in the chain, a later softfail caused by the evaluated relay hop, compauth pass, low/no spam disposition, and a negative threat-scanner verdict. The message contained no attachment to detonate.

Attack flow

DEBULL device-code phishing attack flow: email lure, compromised first-stage website, DEBULL broker call, Microsoft device login, token polling, attacker-side session creation from 162.35.167.138, session continuation from 96.126.176.130, GraphSpy-Device post-authentication artifact, and victim redirect to Outlook
Figure 2:End-to-end DEBULL device-code phishing attack flow, from the initial email lure through the compromised first-stage website, DEBULL broker device-code generation, Microsoft device login, attacker-side session creation, session continuation from a second attacker IP, and GraphSpy-Device post-authentication artifact.
1. Email lure reaches mailbox
   -> payment/shared-folder theme
   -> Team_Meets path

2. Victim opens compromised first-stage website
   -> hxxps://trogir-rental[.]com/Team_Meets/
   -> fake encrypted secure-message UI

3. Landing page calls DEBULL broker
   -> hxxps://frenksv[.]sbs/user/email/office_poll.php?uid=4
   -> action: get_auth_broker_device_code
   -> tenant_id: common
   -> user_id: 4

4. Victim is pushed to legitimate Microsoft device login
   -> hxxps://www.microsoft[.]com/devicelogin
   -> Microsoft Authentication Broker prompt

5. Landing page polls for token completion
   -> action: poll_auth_broker_token
   -> device_code: [redacted long device code]

6. Attacker-side session is created
   -> 162.35.167[.]138
   -> Microsoft Authentication Broker
   -> 50199 waiting/interrupted event followed by success

7. Attacker continues the same attacker session elsewhere
   -> 96.126.176[.]130
   -> OfficeHome / One Outlook Web

8. Post-authentication tooling appears
   -> GraphSpy-Device object observed

9. Victim is redirected to normal Outlook
   -> hxxps://outlook.office[.]com/

The landing page was a device-code orchestrator

The first-stage page was hosted on a legitimate Croatian rental website with years of normal indexed business content. That strongly suggests a compromised or abused website rather than a newly registered phishing domain. The malicious path was isolated under /Team_Meets/.

The page did not contain a password field. It created a fake secure-message experience and then called a broker endpoint to generate a Microsoft device-code challenge. The key browser-visible operations were:

const API_BASE = 'https://frenksv[.]sbs/user/email/office_poll.php?uid=4';

POST body:
{
  "action": "get_auth_broker_device_code",
  "tenant_id": "common",
  "user_id": 4
}

Polling body:
{
  "action": "poll_auth_broker_token",
  "device_code": "[redacted long device_code]",
  "user_id": 4
}

window.open('https://www.microsoft.com/devicelogin', ...)
window.location.href = 'https://outlook.office.com/';

The user sees Microsoft, enters the code on Microsoft infrastructure, completes authentication, and believes the message expired or failed. The attacker receives the attacker-side session through the device-code flow.

Microsoft Entra sign-in log entry identifying the sign-in as Microsoft Authentication Broker on another device, a key Storm-2372-style characteristic
Figure 3:Microsoft identifies the sign-in as Microsoft Authentication Broker on another device. This is a key Storm-2372-style characteristic.

Turkish code-lineage markers

The Turkish markers are not the only evidence in this case, but they are meaningful. We observed Turkish-language developer comments in two separate parts of the workflow.

One comment could be accidental or copied from an online snippet. Two independent Turkish artifacts across different components elevate the signal. We assess with low-to-medium confidence that at least part of the DEBULL codebase or its lure templates were authored or modified by a Turkish-speaking developer. This is a code-lineage marker, not direct attribution to a country or named actor.

Turkish comment Code'u otomatik kopyala embedded in the Team_Meets landing page source, meaning copy the code automatically
Figure 4:Turkish comment in the Team_Meets landing page: Code'u otomatik kopyala.
Turkish marker SAYAÇ (expiration) inside the DEBULL header.php component, where sayaç means counter or timer
Figure 5:Turkish marker in the DEBULL header component: SAYAÇ (expiration).

DEBULL exposed: from campaign domain to direct origin

The biggest shift in the investigation came from infrastructure pivots. The broker domain frenksv[.]sbs was Cloudflare-fronted, but the direct origin was exposed. Shodan returned one relevant DEBULL result: 162.35.167[.]138:80, titled DEBULL - Login, running Apache httpd 2.4.66. That same IP appeared in Entra telemetry as the Microsoft Authentication Broker session source. Direct browsing to the IP returned the same DEBULL panel over both HTTP and HTTPS.

DEBULL Secure Mail System login panel exposed directly on the broker infrastructure at 162.35.167.138, running Apache 2.4.66 on Ubuntu
Figure 6:DEBULL Secure Mail System login panel exposed on the broker infrastructure.
FieldValue
Direct DEBULL host162.35.167[.]138
Hostnamevps3459922[.]trouble-free[.]net
Panel titleDEBULL - Login
Observed serverApache/2.4.66 (Ubuntu)
SSH bannerOpenSSH_10.2p1 Ubuntu-2ubuntu3.2
Panel routes/user/index.php, /admin/auth.php
Broker endpoint/user/email/office_poll.php
Composer dependencyphpmailer/phpmailer v7.1.1
Static CSS hashB96DE9AB78411A112BDCC308163BCD7F88C215FF57BCB58282345C316794B305
Cloudflare analytics tokencec0d6e71b404597a8e486238f0cc69a

The exposed routes show a multi-role panel structure:

/admin/
  index.php      -> 302 to auth.php
  users.php      -> 302 to auth.php
  settings.php   -> 302 to auth.php
  auth.php       -> DEBULL Admin Panel

/user/
  index.php      -> DEBULL Secure Mail System
  settings.php   -> 302 to index.php
  logout.php     -> 302 to index.php
  email/         -> module directory
  includes/      -> user-level include directory

/includes/
  config.php     -> 200, empty output
  db.php         -> 200, empty output
  telegram.php   -> 200, empty output
  utilities.php  -> 200, empty output

/vendor/
  directory listing blocked
  /vendor/composer/installed.json exposed
  /composer.json and /composer.lock exposed

/info.php
  phpinfo exposed

The phpinfo exposure changed the infrastructure picture

The exposed phpinfo page confirmed that the DEBULL host is not a random reverse proxy. It is the actual PHP application server. The most important exposed values were:

FieldValue
SystemLinux vps3459922.trouble-free.net 7.0.0-15-generic x86_64
PHP version8.5.4
Server APIApache 2 Handler
Apache versionApache/2.4.66 (Ubuntu)
Hostname:Portdebull[.]app:0
Document root/var/www/token
Loaded php.ini/etc/php/8.5/apache2/php.ini
cURLEnabled, cURL 8.18.0, HTTP/2, SSL, ZSTD, Brotli
Database supportmysqli and pdo_mysql enabled
Mail supportsendmail path /usr/sbin/sendmail -t -i, SMTP localhost:25
OPcacheEnabled, 35 cached scripts at collection time

The vhost hint debull[.]app is especially important. It explains why a separate Workers.dev lure called the canonical backend at hxxps://debull[.]app/user/email/office_poll.php while the live customer case used frenksv[.]sbs as a Cloudflare-fronted campaign domain. The document root /var/www/token reinforces the assessment that this host was built for token brokering.

We are not publishing the full phpinfo output because it contains request metadata and session details from the research environment. The sanitized values above are enough to describe the infrastructure.

A compact PHP panel, not a heavy OAuth framework

The Composer metadata was also exposed. It showed only one installed dependency: phpmailer/phpmailer v7.1.1. There were no installed Microsoft Graph SDK, OAuth client, JWT library, or standard Azure OAuth provider packages.

composer.json:
{
  "require": {
    "phpmailer/phpmailer": "^7.1"
  }
}

installed package:
phpmailer/phpmailer v7.1.1
source reference: 1bc1716a507a65e039d4ac9d9adebbbd0d346e15
package time: 2026-05-18T08:06:14+00:00

This implies the Microsoft device-code logic is probably custom PHP, likely implemented with cURL, or delegated to another local process. PHPMailer and the presence of sendmail support align with the Secure Mail System branding and the /user/email/ module path. The framework appears to combine lure operations, operator notifications, campaign management, and device-code token brokering.

The exposed /includes/telegram.php path returned an empty 200 response, which is typical of a server-side include file. Its name suggests Telegram notification support in the DEBULL framework, although the file did not expose its contents. In context with PHPMailer, sendmail support, the /user/email/ module, and later chat/voice UI artifacts, Telegram appears to be part of the operator-notification or live-workflow layer rather than a standalone lure component.

Panel capabilities visible in header.php

The exposed includes/header.php component added another layer of functionality. It imported admin.css, chat.css, jQuery, Bootstrap, Font Awesome, flag-icon-css, and RecordRTC 5.6.2. It also contained anti-debugging and anti-inspection logic: right-click blocking, shortcut blocking, F12 blocking, and a debugger timing loop that blanks the body if execution pauses.

RecordRTC and chat.css do not prove that this specific campaign used live chat or recording, but they show that DEBULL includes UI components for live operator interaction. The exposed assets define admin and user message styling, session lists, unread indicators, file previews, PDF/image/audio/document file handling, and voice-recording states. That fits the broader picture of a phishing operations panel rather than a single-purpose landing page.

Operator chat, voice, file, and notification functions

The additional CSS and header artifacts expand DEBULL's apparent capability set. The chat stylesheet includes classes for chat bubbles, admin chat sessions, user and admin messages, unread badges, file previews, image and PDF attachments, generic document attachments, audio messages, voice players, and a recording state for a record-voice control. The header component imports RecordRTC, which is commonly used to capture audio or video in the browser.

We did not observe the server-side chat endpoints being used in the customer case, so we do not claim that live chat or voice recording was active during this specific attack. The artifacts do show that the framework was designed to support more than static lure delivery: operators could plausibly guide victims, exchange files, capture or receive voice messages, and monitor active sessions from an admin console.

The notification layer also appears to be broader than email. Composer metadata exposed PHPMailer as the only installed dependency, while phpinfo showed sendmail support. In parallel, /includes/telegram.php returned an empty 200 response, which suggests a Telegram integration file was present server-side. Taken together, DEBULL looks like a PhaaS operator platform with email, Telegram, chat, file-transfer, and voice-message building blocks, even though not every capability was exercised in the observed Microsoft device-code campaign.

DEBULL CloakGuard: PhaaS deployment internals

The most revealing additional route was /user/email/deploy.php. The page appeared in a restricted state, but still rendered enough leaked client-side source code to expose the operator workflow behind DEBULL. The page title identified the module as Deploy Pages - CloakGuard, which we assess as the deployment and page-builder layer of the DEBULL PhaaS framework.

The exposed source showed a broader operator platform, not a single phishing page. The main navigation referenced dashboard, domains, redirect paths, secure hosting, video guides, email, deploy, marketplace, settings, and logout. The left-side deploy workflow exposed views for My Pages, Create Page, Templates, and Analytics. Several referenced pages returned 404 during our testing, suggesting the leaked route may belong to an older or partially deployed panel version, or that the live platform uses different endpoint names in production.

CloakGuard exposed the mechanics of page creation and delivery. Operators could create and manage deployed pages, browse base templates, preview pages, review analytics, and choose a deployment method. The page-builder fields included page name, URL slug, editable HTML, editable CSS, editable JavaScript, and deployment destination. The supported deployment methods included custom URL publishing and Cloudflare Workers deployment using Cloudflare Account ID, API Token, Zone ID, and Worker Name fields.

The built-in templates exposed in the client-side source included a Microsoft 365 device-code authentication page, an OAuth callback page for Google/Microsoft-style authentication flows, and a generic modern landing page. The device-code template contains the visible Microsoft 365 authentication card, the user-code placeholder, copy-code behavior, and a link to microsoft.com/devicelogin. This aligns with the Workers.dev Excel/Box lure we found later: the front-end lure can change quickly, while the DEBULL backend and office_poll.php broker remain stable.

The leaked JavaScript also exposed AJAX-driven backend operations through ajax/deploy_ajax.php. The visible actions included list_pages, save_page, get_page, delete_page, deploy_page, get_analytics, and get_cloudflare_connection. These actions show how operators load existing pages, edit a page by ID, save template content, deploy a page, retrieve analytics, and check Cloudflare connectivity. We did not interact with state-changing actions. The exposed client code alone was enough to show that DEBULL is a functional, but operationally immature, PhaaS platform with page management, analytics, hosting workflow, and Cloudflare deployment support.

Exposed CloakGuard deploy.php module in a restricted state, still rendering the page-builder logic, template list, and deployment workflow through leaked client-side source
Figure 7:Exposed CloakGuard deployment module. The restricted page still rendered page-builder logic, templates, and deployment workflow details.
Visible componentWhat it reveals
Deploy Pages - CloakGuardInternal name for the DEBULL page deployment and lure-management module.
domains.php, paths.php, hosting.phpOperator workflow for domains, redirect paths, and hosting management.
Custom HTML/CSS/JavaScript editorsOperators can customize lure content without changing the backend broker.
Custom URL deploymentPhishing pages can be published to operator-controlled infrastructure.
Cloudflare Workers deploymentThe panel collects Cloudflare Account ID, API Token, Zone ID, and Worker Name to deploy pages to Workers.
Base templatesDevice-code authentication page, OAuth callback page, and modern landing page.
deploy_ajax.php actionsAJAX API used for saving, deploying, deleting, listing pages, and retrieving analytics.
Office/Gmail/IMAP profile routingThe broader panel appears to support mailbox and identity workflows beyond Microsoft 365 device-code phishing.

The leaked source code exposed the operational layout of the CloakGuard module. The top navigation describes a broader PhaaS workflow: domain management, redirect paths, secure hosting, operator guides, email modules, deployment, marketplace, settings, and logout. The deploy sidebar then narrows the operator workflow into deployed pages, page creation, template selection, and analytics.

The navigation names are important because they describe DEBULL as a broader service platform: Domains for managing front-end destinations, Redirect Paths for routing victims through campaign-specific flows, Secure Hosting for deployment infrastructure, Video Guides for operator onboarding, Marketplace for templates or add-ons, Email and Extraction for mailbox-oriented workflows, and Settings for operator configuration. Several of these routes returned 404 during analysis, which suggests the exposed deploy.php page may be an older or partially broken interface, but the leaked source still reveals the intended product architecture.

CloakGuard navigation bar and deployment dashboard exposed through leaked client-side source: dashboard, domains, redirect paths, secure hosting, video guides, email, deploy, marketplace, settings, logout
Figure 8:CloakGuard navigation and deployment dashboard exposed through leaked client-side source code.

The page-creation form shows why DEBULL should be treated as a PhaaS framework rather than a single phishing site. Operators can define a page name and slug, edit HTML, CSS, and JavaScript directly, then choose how the lure is published. The Cloudflare Workers option exposes fields for Cloudflare Account ID, API Token, Zone ID, and Worker Name, explaining how DEBULL can quickly move from a compromised website to Workers.dev infrastructure.

CloakGuard page-builder form with fields for page name, URL slug, HTML/CSS/JavaScript editors, and deployment options including custom URL and Cloudflare Workers with Account ID, API Token, Zone ID, and Worker Name
Figure 9:CloakGuard page-builder form with custom URL and Cloudflare Workers deployment options.

The same leaked code also exposed page-management operations. The edit and delete functions call deploy_ajax.php with page IDs, return JSON, and repopulate the page-builder fields with stored HTML, CSS, JavaScript, deployment URL, and Cloudflare configuration. This confirms that CloakGuard is not only rendering a static template. It is managing deployed pages as stored objects.

Leaked JavaScript edit and delete functions calling deploy_ajax.php with page IDs, returning JSON, and repopulating the CloakGuard page-builder fields for stored phishing pages
Figure 10:Leaked edit and delete functions show AJAX-driven management of stored phishing pages.

The embedded templates included a Microsoft 365 device-code authentication page, an OAuth callback page, and a modern landing page. The Microsoft 365 template is especially important because it exposes the exact building block used by the campaign: a user-code display, copy-code behavior, and a link to Microsoft device login.

Built-in Microsoft 365 device-code authentication template inside the CloakGuard page builder: user-code display, copy-code button, and link to microsoft.com/devicelogin
Figure 11:Built-in Microsoft 365 device-code template exposed inside the CloakGuard page builder.
CloakGuard / deploy.php exposed actions:
ajax/deploy_ajax.php?action=list_pages
ajax/deploy_ajax.php?action=save_page
ajax/deploy_ajax.php?action=get_page&page_id={pageId}
ajax/deploy_ajax.php?action=delete_page&page_id={pageId}
ajax/deploy_ajax.php?action=deploy_page&page_id={pageId}
ajax/deploy_ajax.php?action=get_analytics
ajax/deploy_ajax.php?action=get_cloudflare_connection

Built-in templates:
Device Code Auth Page
OAuth Callback Page
Modern Landing Page

Reusable lure templates: Workers.dev Excel/Box lure

A separate urlscan result surfaced another working lure template hosted on Cloudflare Workers: page-8-xls-vft-lvfsa.pefferarley83249[.]workers[.]dev. The page title and UI presented a Box / Excel secure-document access flow. The CloakGuard deployment module explains how this type of lure could be generated and hosted: DEBULL exposes page templates, custom HTML/CSS/JavaScript editors, and a Cloudflare Workers deployment option. The important point is not the theme. It called the same DEBULL broker pattern.

Workers.dev Excel/Box-style lure page calling the DEBULL broker at debull[.]app/user/email/office_poll.php with embedded user ID and box_secure_session key
Figure 12:Workers.dev Excel/Box-style lure calling the DEBULL broker through debull[.]app/user/email/office_poll.php.
Workers.dev lure:
page-8-xls-vft-lvfsa.pefferarley83249[.]workers[.]dev

const API_BASE = 'https://debull[.]app/user/email/office_poll.php';

window.EMBEDDED_USER_ID = 4;
window.DEPLOYMENT_USER_ID = 4;
SESSION_KEY = 'box_secure_session';

POST action: get_auth_broker_device_code
POST action: poll_auth_broker_token
Microsoft login: https://www.microsoft.com/devicelogin

This proves DEBULL is reusable. The same backend can sit behind different lure templates: Team_Meets on a compromised website, Box/Excel on Workers.dev, and likely other customer-specific or campaign-specific templates. The front end can change quickly while the broker endpoint and post-authentication tooling stay stable.

Session handoff and GraphSpy post-exploitation

The Entra sign-in timeline showed three different roles. The victim session used the victim's normal browser and residential IP. The attacker-side Microsoft Authentication Broker session was created from 162.35.167[.]138. A later OfficeHome / One Outlook Web activity continued the same attacker session from 96.126.176[.]130.

Victim browser session:
  IP: x.x.x.x
  One Outlook Web
  normal victim-side login activity

Attacker session creation:
  162.35.167[.]138
  Microsoft Authentication Broker
  50199 waiting/interrupted event followed by success
  same IP that exposed DEBULL panel

Attacker session continuation:
  96.126.176[.]130
  OfficeHome / One Outlook Web
  same attacker session, different attacker egress

Post-authentication artifact:
  GraphSpy-Device
Entra sign-in pattern showing the attacker session: Microsoft Authentication Broker success and 50199 failure from 162.35.167.138, followed by OfficeHome and One Outlook Web success events from 96.126.176.130 in New Jersey
Figure 13:Attacker login pattern in Entra sign-in logs. Microsoft Authentication Broker events from the DEBULL origin, followed by OfficeHome and One Outlook Web access from a second attacker IP.
Post-authentication GraphSpy-Device artifact observed in the tenant after the Microsoft Authentication Broker flow completed
Figure 14:Post-authentication GraphSpy-Device artifact registered in the tenant after the Microsoft Authentication Broker flow.

This is not the attacker using the victim's device. It is the victim authorizing an attacker-controlled device-code session through the legitimate Microsoft flow. The attacker then reused that session from their own infrastructure. The local-looking geography reduced the chance of obvious impossible-travel detection.

GraphSpy is a public Entra ID and Microsoft 365 initial access and post-exploitation tool with device-code, token, Graph, Outlook, and device-registration oriented workflows. Based on the GraphSpy-Device object, the Microsoft Authentication Broker flow, and the session continuation pattern, we assess with high probability that DEBULL utilizes GraphSpy or a GraphSpy-derived post-exploitation workflow after token acquisition.

This is where the campaign moves beyond token theft. Microsoft has already described Storm-2372 shifting to Microsoft Authentication Broker because it can support refresh-token and device-registration relevant activity.

Attribution and tradecraft assessment

We are comfortable saying this is Storm-2372-style tradecraft. We are not comfortable saying this is Storm-2372. The technical overlap is significant, but DEBULL appears to be a reusable or private tooling layer that may be operated by a different actor or by multiple operators.

ConfidenceAssessment
High confidenceMicrosoft OAuth device-code phishing through a backend broker.
High confidenceMicrosoft Authentication Broker was used in the attacker-side flow.
High confidence162.35.167[.]138 is directly tied to the DEBULL panel and the Microsoft Authentication Broker session source.
High confidenceDEBULL is a deployed PHP PhaaS framework with admin, user, deployment, include, vendor, email, and token-broker components.
High confidenceDEBULL/CloakGuard supports reusable lure templates and deployment workflows, including Cloudflare Workers deployment.
High probabilityDEBULL utilizes GraphSpy or a GraphSpy-derived post-exploitation workflow based on GraphSpy-Device and the broker/session behavior.
High confidenceThe infrastructure uses geo-plausible data-center egress to reduce obvious impossible-travel signals.
Low-to-medium confidenceTurkish-language developer markers indicate Turkish code authorship or template modification lineage.
Low confidenceDirect attribution to Storm-2372 or to a Turkish actor.
Additional findingThe exposed deploy.php route shows page-builder, template, analytics, and Cloudflare deployment capabilities consistent with a PhaaS operator platform.

The more useful conclusion is that Storm-2372-style identity tradecraft is now being packaged into reusable broker infrastructure. DEBULL provides the campaign-facing and operator-facing layer. GraphSpy or GraphSpy-derived code likely handles the post-authentication layer. The lure can be changed without changing the backend identity stack.

Detection opportunities

Detection should focus on the sequence rather than a single URL. The strongest indicators are Microsoft Authentication Broker sign-ins after a suspicious collaboration lure, DEBULL broker polling, session continuation from separate attacker infrastructure, and unexpected device objects.

// Microsoft Authentication Broker followed by Outlook/OfficeHome from another IP
let window = 15m;
let mab = SigninLogs
  | where TimeGenerated > ago(14d)
  | where AppDisplayName =~ "Microsoft Authentication Broker"
  | extend SessionId_ = tostring(column_ifexists("SessionId", ""))
  | project MabTime=TimeGenerated, UserPrincipalName, MabIp=IPAddress,
            MabLocation=Location, MabSession=SessionId_, MabResult=ResultType,
            MabUserAgent=UserAgent, MabCorrelation=CorrelationId;
let owa = SigninLogs
  | where TimeGenerated > ago(14d)
  | where AppDisplayName in ("OfficeHome", "One Outlook Web")
  | where ResultType == 0
  | extend SessionId_ = tostring(column_ifexists("SessionId", ""))
  | project OwaTime=TimeGenerated, UserPrincipalName, OwaIp=IPAddress,
            OwaLocation=Location, OwaSession=SessionId_, OwaApp=AppDisplayName,
            OwaUserAgent=UserAgent, OwaCorrelation=CorrelationId;
mab
| join kind=inner owa on UserPrincipalName
| where OwaTime between (MabTime .. MabTime + window)
| where MabIp != OwaIp
| project MabTime, OwaTime, UserPrincipalName, MabIp, OwaIp,
          MabLocation, OwaLocation, MabSession, OwaSession,
          MabResult, OwaApp, MabUserAgent, OwaUserAgent
| order by MabTime desc
// Suspicious GraphSpy device registration artifact
AuditLogs
| where TimeGenerated > ago(30d)
| where TargetResources has_any ("GraphSpy-Device", "GraphSpy")
   or OperationName has_any ("Register device", "Add device", "Add registered owner to device")
| project TimeGenerated, OperationName, Result, InitiatedBy, TargetResources
| order by TimeGenerated desc
// DEBULL and device-code URL pivots
UrlClickEvents
| where Timestamp > ago(14d)
| where Url has_any (
    "microsoft.com/devicelogin",
    "login.microsoftonline.com/common/oauth2/deviceauth",
    "trogir-rental[.]com/Team_Meets",
    "frenksv[.]sbs/user/email/office_poll.php",
    "debull[.]app/user/email/office_poll.php"
)
or UrlChain has_any (
    "microsoft.com/devicelogin",
    "login.microsoftonline.com/common/oauth2/deviceauth",
    "trogir-rental[.]com/Team_Meets",
    "frenksv[.]sbs/user/email/office_poll.php",
    "debull[.]app/user/email/office_poll.php"
)
| project Timestamp, AccountUpn, ActionType, Url, UrlChain, NetworkMessageId
| order by Timestamp desc

Response and mitigation

Indicators and pivots

Domains and URLs:
hxxps://trogir-rental[.]com/Team_Meets/
hxxps://frenksv[.]sbs/user/email/office_poll.php?uid=4
hxxps://frenksv[.]sbs/user/index.php
hxxps://frenksv[.]sbs/admin/auth.php
hxxps://debull[.]app/user/email/office_poll.php
hxxps://page-8-xls-vft-lvfsa.pefferarley83249[.]workers[.]dev/
hxxps://www.microsoft[.]com/devicelogin

IPs:
162.35.167[.]138    DEBULL origin and Microsoft Authentication Broker source
96.126.176[.]130    attacker session continuation
49.12.61[.]13       first-stage compromised web host for trogir-rental[.]com

DEBULL panel artifacts:
DEBULL Secure Mail System
DEBULL Admin Panel
/user/index.php
/admin/auth.php
/user/email/office_poll.php
/includes/telegram.php
/vendor/composer/installed.json
/info.php
/var/www/token
debull[.]app:0
Apache/2.4.66 (Ubuntu)
PHP 8.5.4
phpmailer/phpmailer v7.1.1

DEBULL / CloakGuard PhaaS artifacts:
/user/email/deploy.php
/user/email/ajax/deploy_ajax.php?action=list_pages
/user/email/ajax/deploy_ajax.php?action=get_analytics
ajax/deploy_ajax.php?action=save_page
ajax/deploy_ajax.php?action=deploy_page&page_id=
Deploy Pages - CloakGuard
Device Code Auth Page
OAuth Callback Page
Modern Landing Page
Cloudflare Account ID
Cloudflare API Token
Cloudflare Zone ID
Worker Name
outlook.php?profile_id=
gmail.php?profile_id=
imap.php?profile_id=
/assets/css/chat.css
RecordRTC 5.6.2

Static fingerprints:
admin.css SHA256: B96DE9AB78411A112BDCC308163BCD7F88C215FF57BCB58282345C316794B305
Cloudflare Web Analytics token: cec0d6e71b404597a8e486238f0cc69a
Composer content-hash: c7173d6a700b02b111e51b703acd8c8e

Code-lineage markers:
Code'u otomatik kopyala
SAYAÇ (expiration)

Post-authentication artifact:
GraphSpy-Device

Why ZeroBEC is needed

This campaign reached the inbox because it was built to avoid static detection. The sender path carried enough trust to pass existing email defenses. The link used a legitimate compromised website as the first-stage landing page. The authentication happened on Microsoft infrastructure. The attacker infrastructure was geographically plausible. The post-authentication session looked like a normal Microsoft 365 workflow unless the full chain was reconstructed. The exposed DEBULL/CloakGuard deployment layer also shows why this type of campaign can evolve quickly: operators can change lures, templates, hosting, and Cloudflare Workers deployments while keeping the same behavioral backend pattern.

ZeroBEC detected the campaign because it did not evaluate the message as a collection of isolated indicators. The platform learned what normal looks like for each user and organization: who they usually interact with, what types of business requests are expected, what links are normal, and what authentication patterns fit the environment. In this case, the payment/shared-folder lure, the external collaboration link, the Microsoft device-code flow, and the post-click identity activity were abnormal as a sequence.

ZeroBEC quarantined the message and automatically produced the investigation trail: the original lure, landing page, DEBULL broker endpoint, Microsoft Authentication Broker activity, attacker IPs, session handoff, and GraphSpy-like device-registration artifact. That is the difference between blocking a suspicious email and understanding a campaign.

Ready to see how ZeroBEC protects your organization? Start free or contact us.