Resurgent Tycoon 2FA Adopts OAuth Device Code Phishing to Hijack Microsoft 365
Do Son 
The genuine Microsoft device authentication page
Just weeks after a massive international law enforcement operation dismantled its primary server infrastructure, the notorious Tycoon 2FA network is back—and it has completely changed the rules of engagement.
A new investigative report from eSentire’s Threat Response Unit (TRU) has exposed a highly evasive, multi-layered phishing campaign active in late April 2026. The findings reveal that despite a high-profile March 2026 coalition takedown led by Microsoft and Europol, the operators behind the Tycoon 2FA Phishing-as-a-Service (PhaaS) platform successfully preserved their codebase and quickly adapted to exploit a major strategic shift in credential harvesting: OAuth Device Authorization Grant abuse.
Historically, Tycoon 2FA made its name as an Adversary-in-the-Middle (AiTM) proxy designed to snatch active login credentials and session cookies in real-time. However, the newest variant bypasses the need for credential harvesting altogether.
In these newly observed campaigns, attackers target users with realistic lures, such as a fraudulent Microsoft 365 voicemail notification. The email prompts the victim to click a legitimate Trustifi click-tracking link, which is used to launder the email’s reputation past secure gateways.
The user is then guided through a highly structured, multi-layer browser sequence that instructs them to copy an operator-generated alphanumeric code and visit Microsoft’s genuine device login portal (microsoft.com/devicelogin). Because the victim inputs the code into authentic Microsoft infrastructure, Multi-Factor Authentication (MFA) prompts are completed natively without raising suspicion.
The moment the victim clicks “Continue” on the consent screen, they are not logging themselves into a new app—they are unknowingly issuing permanent access tokens to an automated, background device controlled by the hackers.
While the frontend lure changed, source-code forensics proved that the structural backbone of the malware remains a carbon copy of the classic Tycoon 2FA payload architecture.
TRU’s investigation verified that the underlying code contains four unmistakable signatures from previous iterations: the proprietary “Check Domain” filtering logic, aggressive anti-debugging timing loops, a Base64 XOR HTML wrapper, and a specific encryption fingerprint.
“Source-code analysis confirms four independent fingerprints continuous with the Tycoon 2FA kit TRU previously documented: the Check Domain architecture, the CryptoJS AES-CBC encryption layer with the hardcoded key and IV “1234567890123456”, the anti-debug stack, and the Base64 XOR HTML wrapping pattern.”
Interestingly, the attackers repurposed their custom encryption logic for this new vector. In previous versions, the CryptoJS layer was utilized to hide the credentials typed by the victim. In this variant, because no credentials are ever handled, the hardcoded key layer encrypts the threat actor’s own background session metadata.
Once authorization is granted, the attacker’s backend framework moves at a blinding tempo. Security researchers observed the malicious automation interface utilizing an active infrastructure footprint hosted within Alibaba Cloud (specifically originating from ASN 45102).
The moment token issuance is verified, the kit immediately executes a wave of background queries using standard backend scripting headers. Forensic logs recorded “three near-simultaneous non-interactive token uses against Office 365 Exchange Online (x2) and Microsoft Graph (x1)” firing off within two seconds of user consent. This allows the platform’s automation to immediately sweep the account, harvesting global address directories and mapping out highly sensitive corporate mailboxes.
The resurgence of Tycoon 2FA demonstrates that disrupting infrastructure only buys security teams temporary relief. Enterprise defenses must permanently adapt to block the underlying vector. To guard against Tycoon’s latest evolution, eSentire’s Threat Response Unit strongly emphasizes the following active mitigations:
- Block Device Code Flows Globally: Organizations should implement Microsoft Entra Conditional Access policies using the “Authentication Flows” condition to completely disable the device code flow for standard end-users. This flow was built for devices lacking keyboards (like smart TVs) and is rarely required for normal business operations.
- Restrict Third-Party App Consent: Ensure user consent settings in Microsoft Entra are configured to require explicit IT administrator approval before any third-party or multi-tenant application can connect to corporate mail or directory endpoints.
- Enforce Compliant Device Policies: Mandate that all non-interactive cloud log-ins originate exclusively from registered, Intune-compliant corporate hardware, preventing tokens captured on foreign systems from gaining a foothold.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
