Tycoon2FA Device-Code Phishing Attack Targets Microsoft 365 Accounts
Tycoon2FA Phishing Kit Evolves to Include Device-Code Phishing Attacks
In a concerning development, the Tycoon2FA phishing kit has upgraded its capabilities to include device-code phishing attacks, compromising Microsoft 365 accounts by abusing Trustifi click-tracking URLs.
Despite being disrupted by an international law enforcement operation in March, the malicious operation was swiftly restored on new infrastructure and resumed its regular activities.
Device-Code Phishing Attack Methodology
Device-code phishing involves sending a device authorization request to the target service provider and forwarding the generated code to the victim, who is then tricked into entering it on the service’s legitimate login page.
This technique authorizes the attacker to push Security recently warned that this type of attack has surged by 37 times this year, supported by at least ten distinct phishing-as-a-service (PhaaS) platforms and private kits.
The Role of Trustifi in the Attack
A recent report by Proofpoint recorded a similar increase in the use of this tactic.
The Tycoon2FA phishing kit has evolved to incorporate device-code phishing, according to research from managed detection and response company eSentire.
This attack begins when a victim clicks a Trustifi click-tracking URL in a lure and culminates in the victim unknowingly granting OAuth tokens to an attacker-controlled device through Microsoft’s legitimate device-login flow at microsoft.com/devicelogin.
The Four-Layer In-Browser Delivery Chain
The attack utilizes a four-layer in-browser delivery chain, with Tycoon2FA employing tradecraft virtually unchanged from the credential-relay variant TRU documented in April 2025 and the post-takedown variant documented in April 2026.
Trustifi is a legitimate security platform providing a range of tools integrated into various services, including those from Microsoft and Google.
How the Attackers Utilize Trustifi
eSentire does not know how the attackers came to use Trustifi.
The Invoice-Themed Phishing Page
According to the researchers, the attack uses an invoice-themed phishing containing a Trustifi tracking URL that redirects through Trustifi, Cloudflare Workers, and several obfuscated JavaScript layers, ultimately landing the victim on a fake Microsoft CAPTCHA page.
The phishing page retrieves a Microsoft OAuth device code from the attacker’s backend and instructs the victim to copy and paste it to microsoft.com/devicelogin, after which the victim completes multi-factor authentication (MFA) on their end.
Oauth Tokens Issued to Attacker-Controlled Devices
After this step, Microsoft issues OAuth access and refresh tokens to the attacker-controlled device.
Protection Against Researchers and Automated Scanning
The Tycoon2FA phishing kit includes extensive protection against researchers and automated scanning, detecting Selenium, Puppeteer, Playwright, Burp Suite, blocking security vendors, VPNs, sandboxes, AI crawlers, and cloud providers, and using debugger timing traps.
Requests from devices indicating an analysis environment are automatically redirected to a legitimate Microsoft page, eSentire says.
Recommendations for Defenders
eSentire recommends disabling the OAuth device code flow when not needed, restricting OAuth consent permissions, requiring admin approval for third-party apps, enabling Continuous Access Evaluation (CAE), and enforcing compliant device access policies.
Additionally, the researchers recommend monitoring Entra logs for deviceCode authentication, Microsoft Authentication Broker usage, and Node.js user agents.
Indicators of Compromise (IoCs)
eSentire has published a set of indicators of compromise (IoCs) for the latest Tycoon2FA attacks to help defenders protect their environments.
About Author
English