Tycoon2FA Adds OAuth Device-Code Phishing for Microsoft 365 Accounts
The Tycoon2FA phishing-as-a-service platform has resurfaced after a law enforcement disruption and is now using OAuth 2.0 device authorization grant abuse to compromise Microsoft 365 accounts protected by multifactor authentication. According to eSentire, the campaign begins with lure emails carrying Trustifi click-tracking URLs and guides victims through a multi-stage redirection chain, including a fake Microsoft CAPTCHA page, before directing them to Microsoft’s legitimate device login portal at microsoft.com/devicelogin.
Rather than exploiting a software flaw or directly bypassing MFA, the operation relies on social engineering to convince users to enter a device code and approve token issuance for an attacker-controlled device, giving the threat actor OAuth tokens for account access. Researchers said the kit retains much of the four-layer in-browser delivery chain seen in earlier Tycoon2FA variants while adding anti-analysis measures to hinder researchers and scanners; recommended defenses include disabling device-code flow where it is not needed, tightening OAuth consent controls, and increasing monitoring of Microsoft Entra logs.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
9 events from the most recent confirmed update back to the earliest known activity.
Researchers report Tycoon 2FA persistence via rogue Entra ID device registration
The new reporting said Tycoon 2FA supports post-compromise persistence by registering rogue devices in Microsoft Entra ID to obtain primary refresh tokens. This can allow attackers to maintain access even after stolen sessions are revoked, adding a new post-compromise capability beyond the previously documented phishing flow.
KnowBe4 highlights eSentire findings on evolved Tycoon 2FA campaign
A KnowBe4 report summarized eSentire's findings that the evolved Tycoon 2FA platform abuses legitimate Microsoft device login and social engineering rather than exploiting a software vulnerability or directly bypassing MFA. The report also reiterated that the operation had resumed after the earlier law enforcement takedown.
Researchers disclose anti-analysis features in updated Tycoon 2FA kit
Reporting on the updated kit said it included protections intended to block researchers, security vendors, and automated scanners. The disclosure added technical detail about how the phishing platform attempted to evade analysis while conducting device-code attacks.
Tycoon 2FA resumes operations with device-code phishing for Microsoft 365
eSentire reported that Tycoon 2FA resurfaced after the law enforcement disruption and added OAuth 2.0 device authorization grant abuse to target Microsoft 365 accounts. The campaign used lure emails with Trustifi click-tracking URLs, redirection and obfuscation layers, a fake Microsoft CAPTCHA page, and Microsoft's legitimate device login flow to obtain OAuth tokens from victims.
Tycoon 2FA variants documented again with similar delivery methods
Researchers noted that Tycoon 2FA variants were again documented in April 2026, with the latest campaign retaining a largely unchanged four-layer in-browser delivery chain. This indicates continuity in the kit's infrastructure and tradecraft.
Europol, Microsoft, and partners announce Tycoon 2FA takedown
Trend Micro reported that Europol, Microsoft, Trend Micro, and other collaborators halted Tycoon 2FA operations. The announcement publicly identified the coordinated disruption effort behind the phishing-as-a-service platform's earlier 2026 outage.
Tycoon 2FA disrupted by law enforcement takedown
The phishing-as-a-service operation was disrupted by a law enforcement takedown earlier in 2026. Later reporting described the disruption as recent before the kit resumed activity.
Researchers analyze Tycoon 2FA defense-evasion mechanisms
A report published on 2025-05-13 examined Tycoon 2FA's defense-evasion and anti-analysis techniques, indicating the phishing kit was already incorporating mechanisms to hinder detection and investigation by that time. This adds an earlier technical milestone in the evolution of the platform's evasion tradecraft.
Tycoon 2FA documented using a similar browser delivery chain
Researchers said the four-layer in-browser delivery chain seen in the latest Tycoon 2FA activity was largely unchanged from variants previously documented in April 2025. This establishes that core elements of the phishing kit were already in use by that time.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
10 references tracked. Mallory keeps watching after this page renders.
Tycoon 2FA AiTM Kit Bypasses MFA on Entra ID and Google Workspace Accounts
cybersecuritynews.com
Open sourceTycoon 2FA AiTM detection for Entra ID and Google - Elastic Security Labs
elastic.co
Open sourceReport: The Tycoon 2FA Phishing Kit Has Evolved
blog.knowbe4.com
Open sourceTycoon2FA phishing kit evolves with device-code attacks on Microsoft 365 | brief | SC Media
scworld.com
Open sourceEuropol, Microsoft, TrendAI™, and Collaborators Halt Tycoon 2FA Operations | Trend Micro (UK)
trendmicro.com
Open sourceTycoon 2FA Takedown | Cloudflare
cloudflare.com
Open sourceDefending the gates: How a global coalition disrupted Tycoon 2FA, a major driver of initial access and large-scale online impersonation - Microsoft On the Issues
blogs.microsoft.com
Open sourceEvolution of Tycoon 2FA Defense Evasion Mechanisms
any.run
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
EvilTokens Turns Microsoft Device Code Phishing Into a Scalable Account Takeover Service
Researchers identified **EvilTokens** as a new phishing-as-a-service platform built to hijack **Microsoft 365** accounts by abusing Microsoft’s legitimate OAuth 2.0 **device code** authentication flow. Sold and operated through Telegram bots, the service gives affiliates phishing templates, email harvesting and reconnaissance features, automated Microsoft API interactions, webmail access, and mailbox triage capabilities. Victims are lured into entering attacker-supplied device codes on Microsoft’s real login page, allowing attackers to capture access and refresh tokens—and in some cases a **Primary Refresh Token**—without stealing passwords or directly defeating MFA. Security teams linked a sharp rise in device code phishing to EvilTokens, describing it as the first known turnkey PhaaS offering dedicated Microsoft device code phishing pages and warning that it lowers the barrier for low-skill operators. More than **1,000 phishing domains** were observed by late March, with campaigns affecting organizations worldwide and notable activity in the United States, Australia, Canada, France, India, Switzerland, and the United Arab Emirates; finance, HR, and transportation/logistics staff were highlighted as frequent targets. Researchers from Sekoia and Mnemonic urged defenders to disable or restrict unnecessary device code flows in **Microsoft Entra ID**, monitor device code grant sign-ins for anomalies, train users on device authentication abuse, and revoke refresh tokens when compromise is suspected.
Apr 4, 2026
Phishing Attacks Exploiting OAuth Device Code Authorization for Microsoft 365 Account Takeover
Threat actors are increasingly leveraging OAuth 2.0 device code authorization flows to compromise Microsoft 365 accounts through sophisticated phishing campaigns. Proofpoint researchers have observed both state-aligned and financially motivated groups using social engineering tactics to trick users into granting access to malicious applications, resulting in account takeovers, data exfiltration, and broader SaaS supply chain abuse. Attackers initiate these campaigns with phishing messages containing URLs or QR codes that, when followed, prompt users to authorize access for rogue applications, ultimately handing over OAuth tokens to the adversaries. Industry analysis highlights that identity-first intrusions, including device code flow phishing and illicit OAuth consent, have driven significant data breaches and business email compromise incidents in 2025. Notable cases include the exploitation of connected apps to exfiltrate data from Salesforce tenants and major financial impacts on organizations such as Marks & Spencer. Security experts recommend enforcing phishing-resistant MFA, governing OAuth consent, and deprecating device code flows where feasible to mitigate these risks. Regulatory changes are also pushing organizations to strengthen identity and SaaS governance in response to these evolving threats.
May 15, 2026
OAuth Device Code and Malicious App Abuse to Gain Persistent Access in Microsoft Entra ID/Microsoft 365
Threat actors are increasingly abusing **OAuth** in *Microsoft Entra ID* and *Microsoft 365* to obtain **access/refresh tokens** that provide durable access even when passwords are reset and MFA is enabled. Reported activity includes both (1) **malicious OAuth app** registrations and deceptive consent prompts that masquerade as legitimate “business integrations,” and (2) abuse of the **OAuth 2.0 Device Authorization Grant** (device code flow) where victims authenticate on Microsoft’s legitimate device login portal, making the intrusion harder to detect with credential-focused controls. Multiple reports describe campaigns targeting business users and organizations (including technology, manufacturing, and financial sectors) to access resources such as **Outlook, Teams, and OneDrive** and to enable mailbox actions and data access under seemingly legitimate application activity. Research and incident reporting highlight that attackers can persist via **service principals** created in victim tenants after consent is granted, and that some integrations may remain effective even if the consenting user is later disabled; separate reporting also describes **device-code vishing/phishing** that leverages legitimate Microsoft OAuth client IDs and standard login workflows to capture tokens without attacker-hosted phishing pages, with one source attributing the vishing activity to **ShinyHunters** (unconfirmed by Microsoft at the time of reporting).
Mar 21, 2026