Tycoon2FA hijacks Microsoft 365 accounts via device-code phishing

The Tycoon2FA phishing kit now supports device-code phishing attacks and abuses Trustifi click-tracking URLs to hijack Microsoft 365 accounts.

Despite an international law enforcement operation disrupting the Tycoon2FA phishing platform in March, the malicious operation was rebuilt on new infrastructure and quickly returned to regular activity levels.

Earlier this month, Abnormal Security confirmed that Tycoon2FA had rebounded to normal operations and even added new obfuscation layers to strengthen its resilience against new disruption attempts.

In late April, Tycoon2FA was observed in a campaign that leveraged the OAuth 2.0 device authorization grant flows to compromise Microsoft 365 accounts, indicating that the operator continues to develop the kit.

Device code phishing is a type of attack in which threat actors send a device authorization request to the target service’s provider and forward the generated code to the victim, tricking them into entering it on the service’s legitimate login page.

Tycoon2FA hijacks Microsoft 365 accounts via device-code phishing

Other newsrooms on this story

Related reading

Microsoft Phone Link abused to steal SMS OTPs from enterprise PCs

Microsoft Details Phishing Campaign Targeting 35,000 Users Across 26 Countries

KongTuke hackers now use Microsoft Teams for corporate breaches

Microsoft blocca piattaforma di phishing e sequestra 338 siti associati -…

From Phishing to Recovery: Breaking the Ransomware Attack Chain

Most phishing now uses AI, says KnowBe4