Security & Infrastructure Tools
Tycoon2FA hijacks Microsoft 365 accounts via device-code phishing
Tycoon2FA, a well-known phishing toolkit, has added device-code phishing to its arsenal, using Trustifi tracking URLs to hijack Microsoft 365 accounts via the OAuth device login flow. After an international police disruption in March, the operation rebuilt its infrastructure and returned to normal activity with added obfuscation. In late April, Tycoon2FA campaigns leveraged the device authorization grant to gain OAuth tokens, granting attackers access to victims’ emails, calendars, and cloud storage. Researchers warn that device-code phishing is surging and recommend defenses such as disabling the device-code flow when not needed, restricting OAuth permissions, requiring admin approval for third-party apps, enabling Continuous Access Evaluation, and monitoring Entra logs for deviceCode activity, along with applying published IoCs.
Tycoon2FA Expands to Device-Code Phishing Targeting Microsoft 365 Accounts
OverviewThe Tycoon2FA phishing toolkit has expanded its repertoire to include device-code phishing attacks, leveraging Trustifi click-tracking URLs to hijack Microsoft 365 accounts. Following an international law enforcement disruption in March that briefly interrupted the operation, Tycoon2FA rebuilt its infrastructure and returned to active campaigns. Early this month, Abnormal Security confirmed that Tycoon2FA had rebounded to normal operations and had even introduced new obfuscation layers to withstand disruption attempts. By late April, Tycoon2FA was observed in campaigns that used OAuth 2.0 device authorization grant flows to compromise Microsoft 365 accounts, signaling continued development of the kit.
Context and Campaign Continuity
- March: Police action disrupts Tycoon2FA’s platform, triggering a temporary halt.
- Post-disruption: Rebuilds on new infrastructure and resumes activity at prior levels.
- Early May: Observations confirm renewed normal operations with added obfuscation layers.
- Late April: Campaigns begin to employ OAuth device authorization flows to compromise Microsoft 365 accounts.
Device-Code Phishing ExplainedDevice-code phishing is a workflow where threat actors trigger a device authorization request from a target service’s provider and relay the resulting code to the victim, tricking them into entering it on the service’s legitimate login page. When exploited, this sequence allows the attacker to register a rogue device under the victim’s Microsoft 365 account, granting unrestricted access to data and services such as email, calendars, and cloud storage.
Attack narrative in Tycoon2FA campaigns
- Lure and delivery: A victim receives an invoice-themed phishing email containing a Trustifi click-tracking URL.
- Redirection chain: The link directs through Trustifi, then Cloudflare Workers, followed by several obfuscated JavaScript layers, culminating on a deceptive Microsoft CAPTCHA page.
- Device-code retrieval: The phishing page retrieves a Microsoft OAuth device code from the attacker’s backend and instructs the victim to copy and paste it to microsoft.com/devicelogin.
- Authentication bridge: The victim completes MFA on their end, after which Microsoft issues OAuth access and refresh tokens to the attacker-controlled device.
- Resulting access: The attacker gains ongoing access to the victim’s Microsoft 365 environment and data through the compromised device.
Attack Infrastructure and Evasion
- A four-layer browser delivery chain connects the lure to the device-code workflow, with Tycoon2FA’s tradecraft bearing similarities to earlier credential-relay variants documented in 2025 and 2026.
- Trustifi as a delivery and tracking component: While Trustifi is a legitimate email security platform used across major providers, the exact path by which attackers began leveraging it remains unclear.
- Obfuscation and anti-analysis measures: The kit employs multiple layers of obfuscation, extensive protection against automated researchers, and measures designed to bypass common tooling.
- Defensive surface: The attack framework includes a substantial blocklist (reported to contain hundreds of vendor names) and techniques to redirect analysis-equipped devices to legitimate Microsoft pages, complicating automated detection.
Indicators of Compromise and Defender Signals
- The Tycoon2FA framework provides a set of indicators of compromise (IoCs) for defenders to observe, reflecting the latest weaponized device-code operations.
- IoCs include artifacts from the in-browser delivery chain, the use of Trustifi tracking URLs, and references to the device-login pathway at microsoft.com/devicelogin.
- Researchers highlight the ongoing use of OAuth device-code flows and the associated token issuance to attacker-controlled devices as the critical operational signal to monitor within Entra logs and related identity infrastructure.
Operational Observations and Threat Landscape
- The resurgence of Tycoon2FA after disruption underscores the maturity and resilience of phishing-as-a-service (PhaaS) ecosystems, now expanded to include device-code phishing as a preferred modality among multiple kits.
- Security researchers note rapid adoption by operators, with multiple kits and platforms contributing to the surge in device-code phishing activity observed this year.
- The technique aligns with broader trends toward identity-centric attacks that abuse legitimate OAuth flows to obtain access tokens, thereby reducing friction for attackers and increasing the potential impact on target organizations.
Relation to Broader Coverage
- Reports and analyses from security researchers and incident responders describe device-code phishing as a proliferating tactic, supported by both public campaigns and private tooling.
- The Tycoon2FA development trajectory mirrors parallel observations of token-focused abuse and credential-relay variants, signaling a convergent evolution toward more automated and scalable identity compromise methods.
Notes on Documentation and Research Artifacts
- Researchers publish IoCs and workflow diagrams to illustrate the end-to-end flow from lure to token acquisition, aiding defenders in recognizing the telltale stages of these campaigns.
- Visual representations of the attack flow are used to communicate the layered delivery approach and the interaction with Microsoft’s device-login pathway.
Closing ContextTycoon2FA’s foray into device-code phishing reinforces the need for ongoing scrutiny of OAuth device flows and the integrity of third-party app consent processes within Microsoft 365 environments. The combination of legitimate service components, trackable URLs, and layered obfuscation makes these campaigns particularly challenging to stop without comprehensive monitoring of identity events, device registrations, and token issuance patterns. As attacks continue to adapt, the security community remains focused on identifying IoCs, understanding the evolving infrastructure, and mapping the full lifecycle of these device-code phishing operations.
