Tycoon2FA Hijacks Microsoft 365 Accounts via Device-Code Phishing
The Tycoon2FA phishing kit has updated its tactics to include device-code phishing and the abuse of Trustifi click-tracking URLs to compromise Microsoft 365 accounts.
The Tycoon2FA phishing kit has expanded its capabilities to include device-code phishing attacks, specifically targeting Microsoft 365 accounts. By abusing Trustifi click-tracking URLs, the kit directs users to malicious pages that facilitate the theft of authentication tokens, bypassing traditional multi-factor authentication (MFA) protections.
Device-code phishing exploits the legitimate OAuth 2.0 device authorization grant flow. In this attack chain, the victim is prompted to enter a code on a secondary device, which the attacker then uses to obtain an access token. By leveraging trusted services like Trustifi to host or redirect to these phishing pages, the attackers increase the likelihood that users will bypass security filters and interact with the malicious links.
Once the attacker successfully hijacks the session, they can gain persistent access to the victim's Microsoft 365 environment. This method is particularly effective because it does not require the attacker to know the user's password, instead focusing on the interception of the authorization process itself. Organizations are advised to monitor for unusual device-code authentication requests and to enforce conditional access policies that restrict the use of device-code flows where possible.
The evolution of Tycoon2FA highlights the ongoing trend of threat actors shifting toward sophisticated, identity-focused attacks that target the nuances of modern cloud authentication protocols. As phishing kits continue to integrate these advanced techniques, the reliance on standard MFA becomes insufficient without additional layers of behavioral analysis and strict identity governance. BleepingComputer
Despite a Europol-coordinated takedown earlier this month that seized 330 domains, Tycoon2FA has rapidly resumed operations. CrowdStrike observed at least 30 suspected Tycoon2FA incidents between March 4-6, 2026, with operators continuing to use compromised domains and cloud services for redirection. The platform's quick recovery underscores the resilience of modern phishing-as-a-service operations and the need for continuous detection and layered defenses.