The Tycoon2FA phishing kit has added support for device-code phishing attacks and now abuses Trustifi click-tracking URLs to hijack Microsoft 365 accounts. Although an international law enforcement operation took down the Tycoon2FA platform in March, the operators quickly rebuilt it on new infrastructure and resumed normal activity levels. Earlier this month, Abnormal Security reported that Tycoon2FA had returned to full operations and introduced new obfuscation techniques to make it harder to disrupt. In late April, the kit was seen in campaigns exploiting OAuth 2.0 device authorization grant flows to compromise Microsoft 365 accounts, showing that its developers continue to actively enhance it. Device-code phishing involves attackers sending a device authorization request to the target service, then forwarding the resulting code to the victim and tricking them into entering it on the legitimate login page. This authorizes the attacker’s rogue device on the victim’s Microsoft 365 account, granting unrestricted access to email, calendar, contacts, and cloud storage. Push Security recently reported that such attacks have surged 37-fold this year, backed by at least ten different phishing-as-a-service platforms and private kits. A recent Proofpoint report notes a comparable spike in the adoption of this tactic. Tycoon2FA now incorporates device-code phishing. New research from managed detection and response firm eSentire shows that Tycoon2FA is proof cybercriminals have widely adopted device code phishing. The attack starts when a victim clicks a Trustifi click-tracking link in a phishing email and ends with the victim unwittingly authorizing OAuth tokens for an attacker-controlled device via Microsoft’s legitimate device login page at microsoft. „com/devicelogin,“ explains eSentire. „Connecting those two endpoints is a four-layer in-browser delivery chain whose Tycoon 2FA tradecraft remains virtually identical to the credential-relay variant TRU documented in April 2025 and the post-takedown variant documented in April 2026.“ Trustifi is a legitimate email security solution that offers various tools seamlessly integrated with popular email platforms such as Microsoft and Google. However, eSentire still does not know how the attackers discovered or began using Trustifi. According to the researchers, the attack starts with an invoice-themed phishing email that includes a Trustifi tracking URL. This link redirects through Trustifi, Cloudflare Workers, and multiple layers of obfuscated JavaScript before landing the victim on a fake Microsoft CAPTCHA page. The phishing site then pulls a Microsoft OAuth device code from the attacker’s backend and prompts the victim to copy and paste it into “microsoft. After navigating to ‚/common/oauth2/devicecode?client_id=…‘, the victim performs multi-factor authentication (MFA). Microsoft then issues OAuth access and refresh tokens to the attacker-controlled device.
Tycoon2FA attack flow. Cet article fait partie d’une série publiée par eSentire.
BleepingComputer