The Tycoon2FA phishing kit has added support for device-code phishing attacks and is now abusing Trustifi click-tracking URLs to steal access to Microsoft 365 accounts.
The malicious platform was disrupted in March during an international law enforcement operation, but the operators quickly rebuilt it on new infrastructure and brought it back to regular activity levels. Earlier this month, Abnormal Security said Tycoon2FA had returned to normal operations and had added new obfuscation layers to make future takedown attempts harder.
In late April, researchers observed Tycoon2FA being used in a campaign that abused the OAuth 2.0 device authorization grant flow to compromise Microsoft 365 accounts. This shows that the operators behind the kit are continuing to improve its capabilities.
Device code phishing works by having attackers generate a device authorization request from a legitimate service provider and then trick the victim into entering the code on the real login page. Once the victim enters the code and completes authentication, the attacker can register a rogue device with the victim’s Microsoft 365 account. This can give them access to emails, calendars, cloud files, and other connected services.
Push Security recently warned that device code phishing has increased sharply this year, with at least ten phishing-as-a-service platforms and private kits supporting the tactic. Proofpoint has also reported a similar rise in these attacks.
According to new research from eSentire, Tycoon2FA’s adoption of device code phishing shows how popular this method has become among cybercriminals. The attack begins when a victim clicks a Trustifi click-tracking URL in a phishing email. The link redirects through Trustifi, Cloudflare Workers, and several layers of obfuscated JavaScript before landing the victim on a fake Microsoft CAPTCHA page.
From there, the phishing page retrieves a Microsoft OAuth device code from the attacker’s backend and tells the victim to copy and paste it into Microsoft’s legitimate device login page at microsoft.com/devicelogin. The victim then completes multi-factor authentication, believing they are following a normal Microsoft sign-in process. After that, Microsoft issues OAuth access and refresh tokens to the attacker-controlled device.
Trustifi is a legitimate email security platform that offers tools integrated with Microsoft and Google email services. However, eSentire said it is not clear how the attackers were able to use Trustifi in the campaign.
The latest Tycoon2FA kit also includes strong protection against researchers and automated scanners. It can detect tools and environments such as Selenium, Puppeteer, Playwright, Burp Suite, VPNs, sandboxes, cloud providers, AI crawlers, and debugger timing traps. If the system detects signs of analysis, the request is redirected to a legitimate Microsoft page.
eSentire said the kit’s blocklist currently includes 230 vendor names and is being updated regularly. To reduce the risk from these attacks, the researchers recommend disabling OAuth device code flow when it is not needed, limiting OAuth consent permissions, requiring admin approval for third-party apps, enabling Continuous Access Evaluation, and enforcing compliant device access policies.
They also advise defenders to monitor Entra logs for deviceCode authentication, Microsoft Authentication Broker usage, and Node.js user agents. eSentire has also released indicators of compromise for the latest Tycoon2FA attacks to help organizations detect and block related activity.
If this article helped you, please consider supporting our work. Every small contribution keeps Abijita.com independent and running.
