Published on May 17, 2026
Tycoon2FA hijacks Microsoft 365 accounts via device-code phishing
Severity
Medium
Detail
The phishing-as-a-service platform Tycoon2FA has evolved its tactics by adding support for device-code phishing attacks aimed at hijacking Microsoft 365 accounts. Despite a major law enforcement disruption earlier this year, the operation quickly rebuilt its infrastructure and resumed activity, now incorporating stronger obfuscation and anti-analysis protections.
Researchers observed the phishing kit abusing legitimate services such as Trustifi click-tracking URLs to make phishing emails appear more trustworthy and bypass security defenses. Security firms have also reported a sharp rise in device-code phishing attacks, showing how rapidly this method is being adopted by cybercriminals.
How?
The attack begins with a phishing email, often themed around invoices or business-related documents, containing a malicious Trustifi click-tracking link. When the victim clicks the link, they are redirected through several layers of obfuscated infrastructure, including Cloudflare Workers and hidden JavaScript code, before landing on a fake Microsoft CAPTCHA page.
The phishing page then retrieves a legitimate OAuth device code from the attacker’s backend and instructs the victim to enter the code at microsoft.com/devicelogin. Since the login occurs on Microsoft’s real authentication portal, victims are more likely to trust the process and complete multi-factor authentication (MFA) themselves.
Once the code is approved, Microsoft issues OAuth access and refresh tokens to the attacker-controlled device, effectively granting the threat actors persistent access to the victim’s Microsoft 365 environment, including email, calendars, and cloud storage services.
Tycoon2FA also includes advanced evasion capabilities. The kit actively detects security tools, automated scanners, VPNs, sandboxes, AI crawlers, and research environments. If suspicious activity is detected, the phishing pages redirect users to legitimate Microsoft pages to avoid raising alarms. Researchers noted that the kit’s internal blocklist already contains hundreds of vendor and analysis-related entries and is continuously updated.
Conclusion
The latest Tycoon2FA campaign highlights the growing popularity of device-code phishing attacks, which exploit legitimate authentication workflows instead of relying solely on stolen passwords. By combining trusted services, legitimate Microsoft login pages, and advanced anti-detection techniques, attackers can bypass traditional phishing defenses and even evade MFA protections.
Security experts recommend organizations disable OAuth device-code authentication when unnecessary, restrict third-party OAuth permissions, enforce stricter device access policies, and closely monitor authentication logs for unusual device-code activity. The campaign also demonstrates how phishing-as-a-service platforms continue to evolve rapidly, making modern phishing attacks increasingly difficult to detect and prevent.
Source