The Tycoon2FA phishing kit is leveraging device-code phishing attacks to hijack Microsoft 365 accounts, abusing legitimate Trustifi click-tracking URLs in invoice-themed lure emails to redirect victims through a multi-layer chain to a fake CAPTCHA page. The attack culminates with the victim pasting a device code from the attacker's backend into the legitimate microsoft.com/devicelogin page, granting the attacker OAuth tokens and full access to the account. This threat has rapidly rebounded after a law enforcement takedown and is now supported by multiple PhaaS platforms, indicating a significant surge in this attack vector.
Tycoon2FA hijacks Microsoft 365 accounts via device-code phishing By Bill Toulas May 17, 2026 10:43 AM 0 The Tycoon2FA phishing kit now supports device-code phishing attacks and abuses Trustifi click-tracking URLs to hijack Microsoft 365 accounts. Despite an international law enforcement operation disrupting the Tycoon2FA phishing platform in March, the malicious operation was rebuilt on new infrastructure and quickly returned to regular activity levels. Earlier this month, Abnormal Security confirmed that Tycoon2FA had rebounded to normal operations and even added new obfuscation layers to strengthen its resilience against new disruption attempts. In late April, Tycoon2FA was observed in a campaign that leveraged the OAuth 2.0 device authorization grant flows to compromise Microsoft 365 accounts, indicating that the operator continues to develop the kit. Device code phishing is a type of attack in which threat actors send a device authorization request to the target service’s provider and forward the generated code to the victim, tricking them into entering it on the service’s legitimate login page. Doing so authorizes the attacker to register a rogue device with the victim’s Microsoft 365 account, giving them unrestricted access to the victim's data and services, including email, calendar, and cloud file storage. Push Security recently warned that this type of attack has increased by 37x this year , supported by at least ten distinct phishing-as-a-service (PhaaS) platforms and private kits. A more recent report by Proofpoint records a similar surge in the use of the tactic. Tycoon2FA adds device-code phishing According to new research from managed detection and response company eSentire, Tycoon2FA confirms that device code phishing has become highly popular among cybercriminals. “The attack begins when a victim clicks a Trustifi click-tracking URL in a lure email and culminates in the victim unknowingly granting OAuth tokens to an attacker-controlled device through Microsoft's legitimate device-login flow at microsoft.com/devicelogin,” explains eSentire . “Connecting those two endpoints is a four-layer in-browser delivery chain whose Tycoon 2FA tradecraft is virtually unchanged from the credential-relay variant TRU documented in April 2025 and the post-takedown variant documented in April 2026.” Trustifi is a legitimate email security platform that provides a range of tools integrated into various email services, including those from Microsoft and Google. However, eSentire does not know how the attackers came to use Trustifi. According to the researchers, the attack uses an invoice-themed phishing email containing a Trustifi tracking URL that redirects through Trustifi, Cloudflare Workers, and several obfuscated JavaScript layers, landing the victim on a fake Microsoft CAPTCHA page. The phishing page retrieves a Microsoft OAuth device code from the attacker's backend and instructs the victim to copy and paste it to ‘microsoft.com/devicelogin,’ after which the victim completes multi-factor authentication (MFA) on their end. After this step, Microsoft issues OAuth access and refresh tokens to the attacker-controlled device. Tycoon2FA attack flow Source: eSentire The Tycoon2FA phishing kit includes extensive protection against researchers and automated scanning, detecting Selenium, Puppeteer, Playwright, Burp Suite, blocking security vendors, VPNs, sandboxes, AI crawlers, and cloud providers, and using debugger timing traps. Requests from devices indicating an analysis environment are automatically redirected to a legitimate Microsoft page, eSentire says. The researchers have found that the kit’s blocklist currently contains 230 vendor names and is constantly updated. eSentire recommends disabling the OAuth device code flow when not needed, restricting OAuth consent permissions, requiring admin approval for third-party apps, enabling Continuous Access Evaluation (CAE), and enforcing compliant device access policies. Additionally, the researchers recommend monitoring Entra logs for deviceCode authentication, Microsoft Authentication Broker usage, and Node.js user agents. eSentire has published a set of indicators of compromise (IoCs) for the latest Tycoon2FA attacks to help defenders protect their environments. The Validation Gap: Automated Pentesting Answers One Question. You Need Six. Automated pentesting tools deliver real value, but they were built to answer one question: can an attacker move through the network? They were not built to test whether your controls block threats, your detection rules fire, or your cloud configs hold. This guide covers the 6 surfaces you actually need to validate. Download Now Related Articles: Device code phishing attacks surge 37x as new kits spread online New EvilTokens service fuels Microsoft device code phishing attacks Tycoon2FA phishing platform returns after recent police disruption ConsentFix v3 attacks target Azure with automated OAuth abuse New VENOM phishing attacks steal senior executives' Microsoft logins