Tycoon 2FA Operators Exploit OAuth Device Code to Bypass Multi-Factor Authentication
Cybercriminals operating the Tycoon 2FA phishing kit have recently enhanced their tactics by integrating OAuth Device Code phishing, enabling them to access Microsoft 365 accounts without obtaining user passwords. This development marks a significant evolution in their methods, allowing them to circumvent multi-factor authentication (MFA) mechanisms effectively.
Background on Tycoon 2FA
Tycoon 2FA emerged as a Phishing-as-a-Service (PhaaS) platform designed to assist attackers in bypassing MFA protections. By employing adversary-in-the-middle (AiTM) techniques, the kit intercepts user credentials and session tokens in real-time, facilitating unauthorized access to services like Microsoft 365 and Gmail. Despite a coordinated takedown in March 2026 by Microsoft and Europol, which led to the seizure of 330 domains associated with Tycoon 2FA, the operators quickly adapted and resumed their malicious activities.
Integration of OAuth Device Code Phishing
In late April 2026, cybersecurity analysts at eSentire’s Threat Response Unit (TRU) identified a new campaign by Tycoon 2FA operators. This campaign combined the existing phishing infrastructure with OAuth Device Code abuse, a method that exploits the OAuth 2.0 Device Authorization Grant flow. Originally designed for devices with limited input capabilities, such as smart TVs, this flow allows users to authenticate by entering a short code on a separate device. Attackers have repurposed this mechanism to deceive users into granting access to their accounts.
Attack Methodology
The attack begins with a phishing email containing a link that appears to be from Trustifi, a legitimate enterprise email security platform. By leveraging Trustifi’s reputable domain, the attackers increase the likelihood of bypassing email security filters. Upon clicking the link, the victim is redirected through multiple layers designed to evade detection, including encrypted payloads, anti-analysis checks, and a fake Microsoft CAPTCHA page. Notably, the delivery chain incorporates a vendor blocklist covering over 230 organizations to ensure that only genuine targets reach the final stage.
At the culmination of this process, the victim encounters a phishing page mimicking a Microsoft 365 voicemail notification. The page instructs the user to copy a device code and visit the legitimate Microsoft device login page at microsoft.com/devicelogin. Unaware of the deception, the victim enters the code, triggering the standard MFA process. By completing the MFA challenge, the victim inadvertently grants the attackers access to their Microsoft 365 account.
Implications and Recommendations
This sophisticated attack underscores the evolving nature of phishing threats and the importance of continuous vigilance. Organizations and individuals should be aware of the following recommendations to mitigate the risk of such attacks:
1. User Education: Regularly educate users about emerging phishing techniques, emphasizing the importance of verifying unexpected authentication requests and being cautious with unsolicited emails.
2. Enhanced Monitoring: Implement monitoring solutions capable of detecting unusual authentication patterns, such as multiple device code requests or logins from unfamiliar locations.
3. Security Updates: Ensure that all systems and applications are up to date with the latest security patches to protect against known vulnerabilities.
4. Multi-Factor Authentication: While MFA is a critical security measure, be aware of its limitations and consider additional layers of security, such as conditional access policies and behavioral analytics.
5. Incident Response Planning: Develop and regularly update incident response plans to address potential breaches promptly and effectively.
By staying informed about the latest phishing tactics and implementing comprehensive security measures, organizations can better protect themselves against sophisticated threats like those posed by Tycoon 2FA operators.
