Tycoon2FA hijacks Microsoft 365 accounts via device-code phishing
by Bill Toulas · BleepingComputerThe Tycoon2FA phishing kit now supports device-code phishing attacks and abuses Trustifi click-tracking URLs to hijack Microsoft 365 accounts.
Despite an international law enforcement operation disrupting the Tycoon2FA phishing platform in March, the malicious operation was rebuilt on new infrastructure and quickly returned to regular activity levels.
Earlier this month, Abnormal Security confirmed that Tycoon2FA had rebounded to normal operations and even added new obfuscation layers to strengthen its resilience against new disruption attempts.
In late April, Tycoon2FA was observed in a campaign that leveraged the OAuth 2.0 device authorization grant flows to compromise Microsoft 365 accounts, indicating that the operator continues to develop the kit.
Device code phishing is a type of attack in which threat actors send a device authorization request to the target service’s provider and forward the generated code to the victim, tricking them into entering it on the service’s legitimate login page.
Doing so authorizes the attacker to register a rogue device with the victim’s Microsoft 365 account, giving them unrestricted access to the victim's data and services, including email, calendar, and cloud file storage.
Push Security recently warned that this type of attack has increased by 37x this year, supported by at least ten distinct phishing-as-a-service (PhaaS) platforms and private kits. A more recent report by Proofpoint records a similar surge in the use of the tactic.
Tycoon2FA adds device-code phishing
According to new research from managed detection and response company eSentire, Tycoon2FA confirms that device code phishing has become highly popular among cybercriminals.
“The attack begins when a victim clicks a Trustifi click-tracking URL in a lure email and culminates in the victim unknowingly granting OAuth tokens to an attacker-controlled device through Microsoft's legitimate device-login flow at microsoft.com/devicelogin,” explains eSentire.
“Connecting those two endpoints is a four-layer in-browser delivery chain whose Tycoon 2FA tradecraft is virtually unchanged from the credential-relay variant TRU documented in April 2025 and the post-takedown variant documented in April 2026.”
Trustifi is a legitimate email security platform that provides a range of tools integrated into various email services, including those from Microsoft and Google. However, eSentire does not know how the attackers came to use Trustifi.
According to the researchers, the attack uses an invoice-themed phishing email containing a Trustifi tracking URL that redirects through Trustifi, Cloudflare Workers, and several obfuscated JavaScript layers, landing the victim on a fake Microsoft CAPTCHA page.
The phishing page retrieves a Microsoft OAuth device code from the attacker's backend and instructs the victim to copy and paste it to ‘microsoft.com/devicelogin,’ after which the victim completes multi-factor authentication (MFA) on their end.
After this step, Microsoft issues OAuth access and refresh tokens to the attacker-controlled device.
Source: eSentire
The Tycoon2FA phishing kit includes extensive protection against researchers and automated scanning, detecting Selenium, Puppeteer, Playwright, Burp Suite, blocking security vendors, VPNs, sandboxes, AI crawlers, and cloud providers, and using debugger timing traps.
Requests from devices indicating an analysis environment are automatically redirected to a legitimate Microsoft page, eSentire says.
The researchers have found that the kit’s blocklist currently contains 230 vendor names and is constantly updated.
eSentire recommends disabling the OAuth device code flow when not needed, restricting OAuth consent permissions, requiring admin approval for third-party apps, enabling Continuous Access Evaluation (CAE), and enforcing compliant device access policies.
Additionally, the researchers recommend monitoring Entra logs for deviceCode authentication, Microsoft Authentication Broker usage, and Node.js user agents.
eSentire has published a set of indicators of compromise (IoCs) for the latest Tycoon2FA attacks to help defenders protect their environments.
The Validation Gap: Automated Pentesting Answers One Question. You Need Six.
Automated pentesting tools deliver real value, but they were built to answer one question: can an attacker move through the network? They were not built to test whether your controls block threats, your detection rules fire, or your cloud configs hold.
This guide covers the 6 surfaces you actually need to validate.