Tycoon2FA Phishing Kit Evolves to Include Device Code Phishing
The Tycoon2FA phishing kit has been updated to support device-code phishing attacks, which abuse Trustifi click-tracking URLs to hijack Microsoft 365 accounts. Despite a recent international law enforcement operation disrupting the Tycoon2FA phishing platform in March, the malicious operation was rebuilt on new infrastructure and quickly returned to regular activity levels.
Abnormal Security confirmed that Tycoon2FA had rebounded to normal operations and even added new obfuscation layers to strengthen its resilience against new disruption attempts. In late April, Tycoon2FA was observed in a campaign that leveraged the OAuth 2.0 device authorization grant flows to compromise Microsoft 365 accounts.
Device Code Phishing Attacks
Device code phishing is a type of attack in which threat actors send a device authorization request to the target service’s provider and forward the generated code to the victim, tricking them into entering it on the service’s legitimate login page. This authorizes the attacker to register a rogue device with the victim’s Microsoft 365 account, giving them unrestricted access to the victim's data and services, including email, calendar, and cloud file storage.
Push Security recently warned that this type of attack has increased by 37x this year, supported by at least ten distinct phishing-as-a-service (PhaaS) platforms and private kits. A more recent report by Proofpoint records a similar surge in the use of the tactic.
Tycoon2FA Attack Flow
According to new research from managed detection and response company eSentire, the Tycoon2FA attack begins when a victim clicks a Trustifi click-tracking URL in a lure email and culminates in the victim unknowingly granting OAuth tokens to an attacker-controlled device through Microsoft's legitimate device-login flow at microsoft.com/devicelogin.
The attack uses an invoice-themed phishing email containing a Trustifi tracking URL that redirects through Trustifi, Cloudflare Workers, and several obfuscated JavaScript layers, landing the victim on a fake Microsoft CAPTCHA page. The phishing page retrieves a Microsoft OAuth device code from the attacker's backend and instructs the victim to copy and paste it to ‘microsoft.com/devicelogin,’ after which the victim completes multi-factor authentication (MFA) on their end.
After this step, Microsoft issues OAuth access and refresh tokens to the attacker-controlled device. The Tycoon2FA phishing kit includes extensive protection against researchers and automated scanning, detecting Selenium, Puppeteer, Playwright, Burp Suite, blocking security vendors, VPNs, sandboxes, AI crawlers, and cloud providers, and using debugger timing traps.
Recommendations
eSentire recommends disabling the OAuth device code flow when not needed, restricting OAuth consent permissions, requiring admin approval for third-party apps, enabling Continuous Access Evaluation (CAE), and enforcing compliant device access policies. Additionally, the researchers recommend monitoring Entra logs for deviceCode authentication, Microsoft Authentication Broker usage, and Node.js user agents.
eSentire has published a set of indicators of compromise (IoCs) for the latest Tycoon2FA attacks to help defenders protect their environments. The Tycoon2FA phishing kit’s blocklist currently contains 230 vendor names and is constantly updated.
- Disable the OAuth device code flow when not needed
- Restrict OAuth consent permissions
- Require admin approval for third-party apps
- Enable Continuous Access Evaluation (CAE)
- Enforce compliant device access policies
- Monitor Entra logs for deviceCode authentication, Microsoft Authentication Broker usage, and Node.js user agents
Source: BleepingComputer