Tycoon2FA Hijacks Microsoft 365 Accounts via Device-Code Phishing

The Tycoon2FA phishing-as-a-service (PhaaS) platform — previously known for its adversary-in-the-middle (AiTM) capabilities against Microsoft 365 — has evolved its toolkit with a new device-code phishing capability and has begun abusing Trustifi click-tracking URLs as a link obfuscation mechanism. Researchers at BleepingComputer confirmed the updated campaign in active deployment targeting Microsoft 365 accounts.

What Is Device-Code Phishing?

Device-code phishing is a social engineering technique that abuses the OAuth 2.0 device authorization grant flow — a legitimate authentication mechanism designed for devices that cannot easily display a browser (smart TVs, CLI tools, IoT devices). In a normal device-code flow:

1. A device requests a user code from an identity provider (e.g., Microsoft Entra ID / Azure AD)
2. The user is directed to a web page to enter the code and authorize the device
3. The device polls for token issuance and receives OAuth access tokens upon completion

In a phishing context, attackers generate the device code themselves and send it to victims via email, pretending to be a legitimate service request. The victim enters the code into the real Microsoft login page — authenticating with their full credentials and MFA — and the attacker's client receives the resulting access tokens. Because the victim authenticated against Microsoft's real login page, MFA is satisfied and the attacker obtains a persistent access token that works without further MFA challenges.

This technique has surged in 2026. Security researchers noted a 37x increase in device-code phishing kit deployments in early 2026 as the method gained popularity for bypassing Conditional Access policies.

Tycoon2FA's Updated Capabilities

Tycoon2FA, a well-established PhaaS platform first documented in 2023 and previously known for its AiTM reverse-proxy technique, has now incorporated device-code phishing as a secondary attack mode. The addition means operators of the Tycoon2FA kit can choose between:

• AiTM proxy mode: The traditional technique of proxying the victim through a fake login page that captures session cookies in real time
• Device-code mode: The newer technique that generates device authorization codes and delivers them to victims as purported "security alerts" or "login approval" requests

Trustifi URL Abuse

A notable element of the updated Tycoon2FA campaign is its abuse of Trustifi, a legitimate email security and marketing platform. Attackers are embedding phishing links inside Trustifi's click-tracking URL infrastructure, causing the phishing URLs to appear as click.trustifi.com domain links in email headers.

This approach leverages the trust reputation of a legitimate security vendor's infrastructure to bypass email security filters (SEG, Microsoft Defender for Office 365, Proofpoint) that might otherwise flag unknown or malicious domains. Because trustifi.com is a known and trusted email platform, its click-tracker domains are typically on allowlists.

This technique is part of a broader pattern of trusted service abuse in phishing campaigns, where attackers exploit click-tracking, link shortening, or file-hosting services operated by reputable vendors to launder malicious URLs.

Who Is Tycoon2FA?

Tycoon2FA operates as a commercial PhaaS platform sold to cybercriminals via underground forums. Its customer base reportedly includes:

• Business email compromise (BEC) operators targeting financial transfers
• Ransomware affiliate groups seeking initial access to Microsoft 365 environments
• Data theft actors looking for persistent OAuth token access to cloud storage (SharePoint, OneDrive)

Previous Tycoon2FA campaigns have been linked to account takeovers at financial services firms, insurance companies, and technology providers.

Detecting and Defending Against Device-Code Phishing

Device-code phishing is challenging to detect because the victim authenticates against the legitimate Microsoft login page, generating no direct signal of compromise in traditional security tooling. Key defensive measures include:

In Microsoft Entra ID (Azure AD):

• Block device code flow via Conditional Access — Microsoft allows organizations to block the device authorization grant flow for users who should never need it. For most enterprise users, this flow can safely be disabled.
• Monitor for unusual device code authorization events in the Microsoft Entra ID sign-in logs (DeviceCodeFlow authentication events from unexpected IP addresses or user agents).

Email Security:

• Scrutinize click-tracker URLs from third-party platforms — even from trusted vendors — especially when the destination domain is unfamiliar or the link context does not match normal business communication.
• Train users to never enter a device code they did not personally initiate from a device they control.

Token Management:

• Implement token binding and short-lived access token policies where possible.
• Use continuous access evaluation (CAE) in Microsoft Entra ID to revoke compromised tokens near real-time.

Broader Threat Landscape Context

The evolution of Tycoon2FA reflects the maturation of the PhaaS ecosystem. Modern phishing kits are no longer single-technique tools — they are modular platforms maintained by criminal developers who track defensive improvements and release updates to stay ahead of security controls. The addition of device-code support represents a direct response to enterprise deployments of phishing-resistant MFA policies that block AiTM proxy attacks.

References

• BleepingComputer — Tycoon2FA Device-Code Phishing
• Microsoft — Protect Against Device Code Flow Phishing