Skip to main content
Emerging ThreatsMalware & Ransomware

Tycoon2FA Exploits Microsoft 365 with Device-Code Phishing

Office worker looks concerned at laptop screen displaying Microsoft device login page.

“The attack begins when a victim clicks a Trustifi click-tracking URL in a lure email and culminates in the victim unknowingly granting OAuth tokens to an attacker-controlled device through Microsoft's legitimate device-login flow at microsoft.com/devicelogin,” eSentire researchers write.

Tycoon2FA's comeback after the March disruption

Tycoon2FA — a phishing kit that previously faced an international law enforcement disruption in March — was rebuilt on new infrastructure and returned rapidly to regular activity levels, according to reporting gathered in recent weeks. Earlier this month Abnormal Security confirmed that Tycoon2FA had rebounded and added new obfuscation layers to harden the platform against further disruption attempts.

The rebound, and the operator's continued development of the kit, are visible in a late-April campaign that shifted the kit's tradecraft from credential-relay approaches toward device-code phishing using OAuth device authorization grant flows.

How device-code phishing targets Microsoft 365

The campaign leverages the OAuth 2.0 device authorization grant flow to steal access to Microsoft 365 accounts. In practice, attackers generate a device code via an authorization request and forward that code to the victim. When the victim copies the code into the legitimate microsoft.com/devicelogin page and completes multi-factor authentication (MFA) on their end, Microsoft issues OAuth access and refresh tokens to the attacker-controlled device.

Once issued, those tokens allow the attacker to register a rogue device with the victim's Microsoft 365 account and gain unrestricted access to email, calendar, and cloud file storage, the reporting states.

Trustifi click-tracking URLs and the four-layer delivery chain

eSentire's analysis traces the attack's first step to an invoice-themed phishing email containing a Trustifi click-tracking URL. The Trustifi link redirects through a sequence of components — Trustifi, Cloudflare Workers, and several obfuscated JavaScript layers — that ultimately land the victim on a fake Microsoft CAPTCHA page.

At that fake page, the phishing page retrieves a Microsoft OAuth device code from the attacker's backend and instructs the victim to copy and paste it to microsoft.com/devicelogin. Once the victim completes MFA on the legitimate Microsoft page, the attacker receives OAuth tokens and control of the registered device.

eSentire notes it does not know how the attackers came to use Trustifi, which is a legitimate email security platform integrated with various email services.

Tycoon2FA's anti-analysis measures and published IoCs

The kit includes extensive protections intended to block researchers and automated scanners. eSentire reports Tycoon2FA detects Selenium, Puppeteer, Playwright, Burp Suite, and other security tools; blocks known security vendors, VPNs, sandboxes, AI crawlers, and cloud providers; and uses debugger timing traps. Requests from devices indicating an analysis environment are redirected to a legitimate Microsoft page, researchers say.

eSentire's researchers found the kit's blocklist currently contains 230 vendor names and is under active maintenance. The firm has published a set of indicators of compromise (IoCs) for the latest Tycoon2FA attacks to help defenders identify and respond to activity linked to the campaign.

What this means for technologists, procurement teams, and end users

  • Technologists and security teams: eSentire recommends disabling the OAuth device code flow when not needed, restricting OAuth consent permissions, requiring admin approval for third-party apps, enabling Continuous Access Evaluation (CAE), and enforcing compliant device access policies. Teams are also urged to monitor Entra logs for deviceCode authentication, Microsoft Authentication Broker usage, and Node.js user agents.
  • Procurement and platform operators: the campaign demonstrates how legitimate services — here, a Trustifi click-tracking URL and Cloudflare Workers — can be chained into an attack. The presence of such services in mail and web delivery chains may require review of allowed integrations and tracking links.
  • End users: the attack's social-engineering step is straightforward: an invoice-themed lure directs a user to paste a code at microsoft.com/devicelogin and complete MFA. That user action, completed on a legitimate Microsoft page, is the moment OAuth tokens are granted to an attacker-controlled device.

The technical record in this case is notable for three converging trends reported by multiple firms: Tycoon2FA's rapid restoration and added obfuscation after a March takedown; the shift toward device-code phishing that abuses legitimate authorization flows; and wider measurements from Push Security and Proofpoint showing a sharp surge in the tactic — Push Security quantified growth as 37x this year and attributed the trend to at least ten distinct phishing-as-a-service platforms and private kits. Together, those facts underline that the technique is not experimental but a growing attacker staple, and defenders now have specific places in logs and controls eSentire recommends watching.

Read the original reporting: https://www.bleepingcomputer.com/news/security/tycoon2fa-hijacks-microsoft-365-accounts-via-device-code-phishing/