May 25, 2026
By esentry Team

Tycoon2FA Evolves with Device-Code Phishing Targeting Microsoft 365 Accounts

May Day May Day!!

A wild kid on the threat block is back!!!, and this time they are back with enhanced capabilities, introducing device-code phishing attacks that exploit legitimate Microsoft authentication workflows to compromise Microsoft 365 accounts.

Recent campaigns show that Tycoon2FA is no longer relying solely on traditional credential harvesting. Instead, it is leveraging OAuth device authorization flows, enabling attackers to bypass password protections and even multi-factor authentication (MFA) by tricking victims into authorizing attacker-controlled devices.

Attack Mapping

The attack begins with a highly convincing phishing email, often themed around invoices or urgent business communications. What makes this campaign particularly deceptive is the use of Trustifi click-tracking URLs, which are part of a legitimate email security platform. This adds a layer of trust and increases the likelihood of user interaction.

Once a victim clicks the link, they are redirected through a multi-stage delivery chain, typically involving:

  • Trustifi tracking infrastructure
  • Cloudflare Workers
  • Obfuscated JavaScript redirectors

This chain ultimately leads the victim to a fake Microsoft CAPTCHA page, designed to appear legitimate while preparing them for the next stage of the attack.

From there, the victim is presented with a device code and instructed to navigate to:

https://microsoft.com/devicelogin

and enter the provided code.

Because this is a legitimate Microsoft endpoint, the process appears safe to the user. After entering the code and completing authentication (including MFA), Microsoft grants OAuth access and refresh tokens, but crucially, these tokens are issued to an attacker-controlled device.

At this point, the attacker gains persistent access to the victim’s Microsoft 365 environment, including:

  • Email (Outlook)
  • Files (OneDrive, SharePoint)
  • Calendar and collaboration tools
  • Documents stored in the cloud
  • Shared files
  • Business applications
  • Sensitive internal information

Other New Detected capabilities of Tycoon2FA include:

  • Selenium detection
  • Identification of Puppeteer and Playwright
  • Blocking of analysis tools
  • VPN filtering
  • Sandbox detection
  • Protection against automated trackers
  • Identification of cloud environments

Relevant Network and Domain Indicators

While not inherently malicious, the following domains and services are involved in the attack chain and should be monitored in context:

  • microsoft.com/devicelogin
  • trustifi.com (click-tracking URLs)
  • workers.dev (Cloudflare Workers infrastructure)

Endpoint and Behavioral Indicators

  • Browser sessions involving heavily obfuscated JavaScript redirects
  • User agents associated with scripting environments (e.g., Node.js) during authentication sequences
  • Redirection loops or CAPTCHA pages that do not behave like standard Microsoft flows

The phishing kit itself is also highly evasive and includes detection mechanisms for:

  • Security tools like Burp Suite and browser automation frameworks
  • Sandboxes and cloud-based analysis environments
  • VPNs and known security vendor infrastructure

Recommendations

Access controls should be tightened by enforcing:

  • Admin approval for OAuth app registrations
  • Restricted user consent permissions
  • Device compliance policies, ensuring only managed devices can access corporate resources

Security teams should also monitor for:

  • OAuth consent events initiated by users who do not typically register devices
  • Sudden creation of new “trusted” devices linked to accounts
  • Token-based access from new geolocations or inconsistent user behavior patterns

Finally, user awareness remains critical. Employees should be educated that legitimate services will rarely require them to manually enter a device code received via email, especially in unsolicited communications.

Remember to stay steps ahead, you have to think beyond credentials! Monitor behavior ! Defend identity!