Operators behind the Tycoon 2FA phishing kit have introduced a new tactic to their arsenal, enabling them to breach Microsoft 365 accounts by exploiting OAuth Device Code flows. This method allows them to bypass multi-factor authentication (MFA) without needing to capture passwords.
Initially recognized as a Phishing-as-a-Service (PhaaS) platform, the Tycoon 2FA kit was developed to circumvent MFA by intercepting credentials. In recent months, its operators have refined their techniques and delivery mechanisms to evade detection tools and vendor blocklists, even persisting after significant disruptions earlier this year.
Innovative Phishing Tactics Unveiled
A report by eSentire’s Threat Response Unit (TRU) highlighted the discovery of Tycoon 2FA’s evolved strategies in late April 2026. Despite a major takedown in March 2026 led by Microsoft and Europol, the core components of the kit remain unchanged, now incorporating OAuth device code abuse for token harvesting instead of credential theft.
The attack commences with a deceptive email, which includes a click-tracking link from Trustifi, an authentic email security platform. This link guides victims through several malicious redirects without raising suspicion, exploiting Trustifi’s clean reputation to bypass email filters.
Exploiting OAuth Device Code
Central to this campaign is the misuse of the OAuth 2.0 Device Authorization Grant, typically used by devices like smart TVs. In a normal scenario, users enter a code on a trusted website to grant access. The Tycoon 2FA attackers have weaponized this by tricking victims into granting access tokens to attacker-controlled devices.
Victims receive a Microsoft 365 voicemail notification lure, prompting them to enter a code at the legitimate Microsoft device login page. While MFA appears to function normally, the approval actually authorizes access to the attackers, altering the intended MFA protection.
Resilience Against Law Enforcement Actions
eSentire’s analysis reveals that despite law enforcement interventions, Tycoon 2FA’s kit has retained much of its original structure. Key components such as encryption keys, anti-debugging techniques, and backend patterns from 2025 are still in use, indicating the operators’ preparedness and ability to quickly resume operations.
Post-compromise investigations have identified unusual user-agent strings from Node.js automation tools, suggesting backend polling activity. Organizations are advised to monitor for such signatures, particularly against the Microsoft Authentication Broker AppId, as potential indicators of compromise.
eSentire recommends that organizations enforce Microsoft Entra Conditional Access policies to block OAuth Device Code flows for standard users and require admin approval for third-party applications. Implementing Continuous Access Evaluation can help swiftly revoke tokens after a breach. Security teams should leverage specific KQL queries and URLscan patterns to detect related activities.
For further protection, organizations should restrict user consent for OAuth apps and ensure admin oversight on app access. By taking these steps, they can better safeguard against the evolving threats posed by the Tycoon 2FA phishing kit.
