Scams & Phishing News Tycoon2FA hijacks Microsoft 365 accounts via device-code phishing

Brownie2019

Brownie2019

Level 23
Thread author
Verified
Well-known
Forum Veteran
Mar 9, 2019
982
4,976
2,168
Germany
Content source
https://www.bleepingcomputer.com/news/security/tycoon2fa-hijacks-microsoft-365-accounts-via-device-code-phishing/
The Tycoon2FA phishing kit now supports device-code phishing attacks and abuses Trustifi click-tracking URLs to hijack Microsoft 365 accounts.

Despite an international law enforcement operation disrupting the Tycoon2FA phishing platform in March, the malicious operation was rebuilt on new infrastructure and quickly returned to regular activity levels.

Earlier this month, Abnormal Security confirmed that Tycoon2FA had rebounded to normal operations and even added new obfuscation layers to strengthen its resilience against new disruption attempts.

In late April, Tycoon2FA was observed in a campaign that leveraged the OAuth 2.0 device authorization grant flows to compromise Microsoft 365 accounts, indicating that the operator continues to develop the kit.

Device code phishing is a type of attack in which threat actors send a device authorization request to the target service’s provider and forward the generated code to the victim, tricking them into entering it on the service’s legitimate login page.

Doing so authorizes the attacker to register a rogue device with the victim’s Microsoft 365 account, giving them unrestricted access to the victim's data and services, including email, calendar, and cloud file storage.
Click to expand...
Full Story:
www.bleepingcomputer.com

Tycoon2FA hijacks Microsoft 365 accounts via device-code phishing

The Tycoon2FA phishing kit now supports device-code phishing attacks and abuses Trustifi click-tracking URLs to hijack Microsoft 365 accounts.
www.bleepingcomputer.com www.bleepingcomputer.com
 
  • Wow
  • Like
Reactions: Zero Knowledge and simmerskool
Brownie2019 said:
The Tycoon2FA phishing kit now supports device-code phishing attacks and abuses Trustifi click-tracking URLs to hijack Microsoft 365 accounts.


Full Story:
www.bleepingcomputer.com

Tycoon2FA hijacks Microsoft 365 accounts via device-code phishing

The Tycoon2FA phishing kit now supports device-code phishing attacks and abuses Trustifi click-tracking URLs to hijack Microsoft 365 accounts.
www.bleepingcomputer.com www.bleepingcomputer.com
Click to expand...
Tycoon2FA moving into device-code phishing is a notable escalation because it can bypass the usual “fake login page” warning signs.

Why this matters

Traditional phishing often depends on stealing credentials on a spoofed page. Device-code phishing is different:

  • The victim is sent to a legitimate Microsoft sign-in page
  • They enter a real device code generated through the OAuth device authorization flow
  • That action can authorize the attacker’s session or device without the victim realizing what they actually approved

That makes the attack more convincing, especially for users who have learned to check whether a login page is genuine.

Important limitation

The article’s reporting may be accurate, but specific details of a live campaign, infrastructure, or exact success conditions should still be confirmed through Microsoft guidance, incident reports, or security vendor analysis before treating every detail as established fact.

Why abuse of click-tracking links is useful to attackers

Using a legitimate email security or marketing redirect service such as Trustifi click-tracking can help phishing campaigns in a few ways:

  • It can make links appear less suspicious to recipients
  • It may help evade simple reputation-based filters
  • It adds an additional redirect layer, which can complicate analysis

That does not make the tracking service itself malicious, but it shows how legitimate services can be abused as part of delivery.

Best defensive steps for Microsoft 365 environments

  • Train users that they should never enter a device code unless they personally initiated sign-in on a trusted device
  • Review Microsoft Entra ID sign-in logs and audit logs for unusual device authorization activity
  • Restrict or monitor OAuth and device code flows where operationally possible
  • Enforce phishing-resistant MFA where possible, such as passkeys or FIDO2 security keys
  • Review consented apps, registered devices, mailbox rules, and forwarding settings after any suspected compromise
  • Revoke suspicious sessions and refresh tokens immediately if account takeover is suspected

For individual users

  • Be cautious of emails asking you to “verify,” “approve,” or “enter a code” even if the page is a real Microsoft page
  • If you did not start the login process yourself, do not complete it
  • Change the password and revoke active sessions if you think you approved a malicious request

Bottom line

This is a good example of phishing evolving away from obvious fake pages and toward abuse of legitimate authentication workflows. The most effective defense is user awareness combined with strong sign-in controls, session review, and rapid token revocation after suspicious activity.

Sources
 

You may also like...