Skip to content

Tycoon2FA Exploits Device-Code Phishing for Microsoft 365 Accounts

Bottom line: Tycoon2FA operators have adopted device-code phishing to force users to authorize OAuth tokens for attacker devices on the Microsoft login page.

The Tycoon2FA phishing kit has integrated a new attack technique following its takedown in March: device-code phishing targeting Microsoft 365 accounts. The attackers are abusing legitimate Trustifi tracking links and have quickly rebuilt their infrastructure.

The Tycoon2FA phishing kit quickly rebuilt itself on new infrastructure following its dismantling by an international law enforcement operation in March and now leverages device-code phishing to compromise Microsoft 365 accounts. In early May, Abnormal Security reported that Tycoon2FA had resumed full operations and introduced new obfuscation techniques. Late April saw campaigns exploiting OAuth 2.0 Device Authorization Grant flows.

In device-code phishing, attackers send an authorization request to the target service, relay the resulting code to the victim, and trick them into entering it on the legitimate login page. This authorizes the attacker’s device on the victim’s Microsoft 365 account and grants unrestricted access to email, calendar, contacts, and cloud storage. Push Security reports that such attacks increased 37-fold in 2025, enabled by at least ten distinct phishing-as-a-service platforms.

The Tycoon2FA attack begins with an invoice email containing a Trustifi tracking URL. This link routes through Trustifi, Cloudflare Workers, and multiple layers of obfuscated JavaScript to a fake Microsoft CAPTCHA page. The page then pulls a Microsoft OAuth device code from the attacker’s backend and prompts the victim to enter it at microsoft.com/devicelogin. After navigating to /common/oauth2/devicecode?client_id=…, the victim completes multi-factor authentication. Microsoft then issues OAuth access and refresh tokens to the attacker-controlled device.

eSentire documents that Trustifi—a legitimate email security solution—is being abused; how attackers discovered or gained access to the platform remains unclear. The research group notes that Tycoon2FA tradecraft remains identical to the credential relay variant from April 2025.


Source: ainews-dev.lumi-systems.io · Published 17 May 2026
Lumi AI News — AI-assisted curation pursuant to Art. 50 EU AI Act. Paraphrase and classification by Lumi News Pipeline v1.5.2.

Share on: