Tycoon2FA Returns With New Microsoft 365 Device-Code Phishing Attacks

Tycoon2FA has returned to full activity after a major law enforcement disruption earlier this year, and researchers say the phishing platform is now more dangerous than before.

After its infrastructure was disrupted in March, the operators rebuilt the phishing-as-a-service platform on new systems and added additional obfuscation layers designed to make future takedowns significantly harder. The latest campaigns also introduce support for device-code phishing attacks targeting Microsoft 365 accounts.

The updated attacks abuse Microsoft’s legitimate OAuth 2.0 device authorization flow instead of relying only on traditional credential theft pages. Victims are tricked into entering a device authorization code on Microsoft’s real login portal, allowing attackers to gain long-term access without directly stealing passwords.

Tycoon2FA shifts to device-code phishing

Researchers say the phishing kit now supports device-code phishing, a rapidly growing attack method that takes advantage of trusted Microsoft authentication workflows.

In the attack, victims receive invoice-themed phishing emails containing Trustifi click-tracking links. Trustifi is a legitimate email security platform, though researchers still do not know how attackers obtained access to its tracking URLs for these campaigns.

After clicking the email link, victims are redirected through multiple layers that include Trustifi tracking systems, Cloudflare Workers infrastructure, and heavily obfuscated JavaScript code. The user eventually lands on a fake Microsoft CAPTCHA page designed to appear legitimate.

The phishing page retrieves a Microsoft OAuth device code from the attacker-controlled backend and instructs the victim to copy the code into Microsoft’s real device-login page at microsoft.com/devicelogin.

Because the login process occurs on Microsoft’s legitimate authentication portal, many users may not realize the attack is malicious. Once the victim completes multi-factor authentication, Microsoft issues OAuth access and refresh tokens to the attacker-controlled device.

Microsoft 365 accounts can be fully hijacked

The technique effectively registers a rogue device inside the victim’s Microsoft 365 environment.

Once the device becomes authorized, attackers can gain access to email accounts, calendars, cloud storage, and other Microsoft 365 services tied to the compromised account. Since the authentication process uses legitimate OAuth workflows, the attack can bypass some traditional phishing protections and security awareness checks.

Researchers warn that device-code phishing has become one of the fastest-growing account takeover methods this year. Security firm Push Security previously warned that observed attacks using the technique increased 37 times over recent months.

The growing popularity of the tactic has also led to wider adoption across underground phishing ecosystems. At least ten phishing-as-a-service operations and private phishing kits reportedly now support device-code phishing functionality.

Security teams face growing OAuth abuse risks

The latest Tycoon2FA campaigns highlight how attackers continue shifting away from simple password theft toward token-based account compromise methods.

Security experts recommend disabling OAuth device-code flows where organizations do not require them. Companies should also restrict OAuth consent permissions, require administrator approval for third-party applications, and enforce compliant device access policies across Microsoft Entra environments.

Researchers additionally recommend enabling Continuous Access Evaluation and monitoring authentication logs for unusual deviceCode sign-ins, Microsoft Authentication Broker activity, and suspicious Node.js user agents that may indicate automated abuse attempts.

The resurgence of Tycoon2FA comes amid a broader wave of Microsoft-focused security threats. Researchers recently warned that the MiniPlasma privilege escalation exploit can reportedly grant SYSTEM access on fully patched Windows systems, while another researcher claimed Microsoft silently fixed an Azure Backup for AKS vulnerability without publishing a CVE.

Separately, threat actors have also started abusing Microsoft Teams chats to socially engineer employees into deploying ModeloRAT malware inside corporate networks.

Via Bleeping Computer