Tycoon2FA device-code – After an international takedown in March, the Tycoon2FA phishing kit returned to normal activity levels and expanded into OAuth 2.0 device-code phishing. The latest campaign chains Trustifi click-tracking URLs with an invoice-themed lure and Microsoft’s legiti
When a victim clicks a Trustifi click-tracking URL in an invoice-themed email lure, the chain of events is designed to end at the victim’s own Microsoft login—except the final result is authorization for an attacker-controlled device.
The Tycoon2FA phishing kit. which previously relied on other techniques. has now added support for device-code phishing attacks targeting Microsoft 365 accounts.. Even after an international law enforcement operation disrupted the platform in March. the operation was rebuilt on new infrastructure and returned to regular activity levels.. Earlier this month. Abnormal Security said Tycoon2FA had rebounded to normal operations and added new obfuscation layers to strengthen its resilience.
By late April, it was seen in a campaign that used OAuth 2.0 device authorization grant flows to compromise Microsoft 365 accounts—evidence, researchers say, that the operator is continuing to develop the kit.
Device-code phishing works by sending a device authorization request to the target service’s provider. then forwarding the generated code to the victim.. The victim is then tricked into entering that code on the service’s legitimate login page.. Done successfully. the attacker can register a rogue device with the victim’s Microsoft 365 account and gain unrestricted access to the victim’s data and services. including email. calendar. and cloud file storage.
Cybersecurity teams have been watching the tactic gain momentum.. Push Security warned that this type of attack increased by 37x this year. supported by at least ten distinct phishing-as-a-service (PhaaS) platforms and private kits.. A separate report from Proofpoint recorded a similar surge in the use of the tactic.
A four-step handoff is at the center of the newer Tycoon2FA behavior.. eSentire describes how the activity starts when a victim clicks a Trustifi click-tracking URL in the lure email and culminates when the victim unknowingly grants OAuth tokens to an attacker-controlled device through Microsoft’s legitimate device-login flow at microsoft.com/devicelogin.. eSentire also says the two endpoints are connected by a four-layer in-browser delivery chain.
Trustifi, which eSentire calls a legitimate email security platform providing tools integrated into email services including those from Microsoft and Google, is part of the mechanism—but eSentire says it does not know how the attackers came to use Trustifi.
In eSentire’s account, the invoice-themed phishing email directs the victim through Trustifi, Cloudflare Workers, and multiple obfuscated JavaScript layers.. That traffic lands the victim on a fake Microsoft CAPTCHA page. where the phishing page retrieves a Microsoft OAuth device code from the attacker’s backend.. The victim is then instructed to copy and paste the code to ‘microsoft.com/devicelogin’ and complete multi-factor authentication (MFA) on their end.
Once that step is finished, Microsoft issues OAuth access and refresh tokens to the attacker-controlled device.
The kit’s approach also reflects a cat-and-mouse focus on keeping it out of sight.. eSentire says Tycoon2FA includes extensive protection against researchers and automated scanning, detecting Selenium, Puppeteer, Playwright, and Burp Suite.. It blocks security vendors, VPNs, sandboxes, AI crawlers, and cloud providers, and uses debugger timing traps.. eSentire adds that requests from devices showing analysis environment signals are automatically redirected to a legitimate Microsoft page.
The filtering mechanism is broad and specific: eSentire says the kit’s blocklist currently contains 230 vendor names and is constantly updated.
Defenders are urged to adjust how their environments handle OAuth and device authentication.. eSentire recommends disabling the OAuth device code flow when it is not needed. restricting OAuth consent permissions. requiring admin approval for third-party apps. enabling Continuous Access Evaluation (CAE). and enforcing compliant device access policies.. It also recommends monitoring Entra logs for deviceCode authentication, Microsoft Authentication Broker usage, and Node.js user agents.
eSentire has published indicators of compromise (IoCs) for the latest Tycoon2FA attacks to help defenders protect their environments.
There is a clear through-line in the reporting: Tycoon2FA was disrupted in March but rebuilt quickly. returned to regular activity levels. then shifted into a late-April campaign using OAuth 2.0 device authorization grant flows.. Across those stages. the same end goal stays consistent—using Microsoft’s legitimate device-login flow after victims are routed through Trustifi-tracking infrastructure to end up granting OAuth access and refresh tokens to attacker-controlled devices.
For organizations using Microsoft 365, the message from the latest findings is that device-code phishing is no longer an edge-case technique.. With Tycoon2FA confirming that it has become highly popular among cybercriminals and with defenses focused on token issuance paths and environment-aware evasion. the pressure is now on tightening device-code permissions and logging around deviceCode authentication—before an OAuth grant is ever issued to the wrong device.
Tycoon2FA device-code phishing Microsoft 365 OAuth 2.0 microsoft.com/devicelogin Trustifi eSentire Entra logs cybersecurity phishing-as-a-service MFA OAuth tokens