How Tycoon2FA Weaponized a Microsoft OAuth Flow to Bypass MFA at Scale
Photo by Chirayu Trivedi on Unsplash
- Tycoon2FA added OAuth 2.0 device-code phishing to its adversary-in-the-middle kit in late April 2026, enabling Microsoft 365 account takeover even when multi-factor authentication is fully active.
- A Europol-led seizure of 330 Tycoon2FA domains on March 4, 2026 cut activity by 75% within 48 hours — but a rebuilt deployment appeared on fresh Russian infrastructure just 20 days later.
- Device-code phishing pages surged 37.5x by April 4, 2026, with at least 11 competing phishing kits now commoditizing the technique alongside the commercial launch of EvilTokens on Telegram.
- Microsoft's managed Conditional Access policy blocking device-code flow — announced in February 2025 — is the primary recommended technical control and should be enabled without delay.
What Happened
37.5 times. That is how much device-code phishing infrastructure expanded between early March and early April 2026, according to threat tracking data from Push Security — and Tycoon2FA sits at the center of that explosion.
According to BleepingComputer, the Tycoon2FA phishing-as-a-service platform — already responsible for an estimated 62% of adversary-in-the-middle (AiTM) phishing attacks blocked by Microsoft in early 2026 — added a significant new capability in late April 2026: abusing the OAuth 2.0 device authorization grant flow, codified under RFC 8628. This protocol was designed for input-constrained devices such as smart TVs and network printers, which cannot easily open a browser. Its core mechanic — a user enters a short alphanumeric code at a central Microsoft authentication page while a background service polls for approval — is precisely what threat actors have turned into an account-takeover assembly line.
In observed Tycoon2FA campaigns, lure emails arrive carrying Trustifi click-tracking URLs that mask the malicious destination. The target is directed to a page displaying a device code and instructed to authenticate at the legitimate Microsoft sign-in portal. When the victim completes that authentication — including any MFA challenge — the attacker's polling infrastructure silently receives an access token. Critically, the token request impersonates Microsoft Authentication Broker (AppId: 29d9ed98-a469-4536-ade2-f981bc1d605e), a legitimate Microsoft first-party application. The resulting token carries permissions spanning Exchange Online, Microsoft Graph, and OneDrive for Business, and the corresponding Entra ID log entry reflects a routine successful sign-in from a recognized Microsoft application. No fake login page. No captured password. The account is compromised through entirely legitimate infrastructure.
eSentire's Threat Response Unit observed that the Microsoft Authentication Broker impersonation is particularly effective because it allows the operator to obtain tokens while generating telemetry that is functionally indistinguishable from normal Microsoft first-party application activity — a significant challenge for defenders relying on Entra ID sign-in logs alone.
Photo by Simon Ray on Unsplash
Why It Matters for Your Organization's Security
The March 4, 2026 Europol-coordinated operation was genuinely large in scope. Law enforcement in Latvia, Lithuania, Portugal, Poland, Spain, and the United Kingdom — working alongside Microsoft, Cloudflare, eSentire, Proofpoint, SpyCloud, Intel471, Resecurity, Shadowserver, Health-ISAC, and Coinbase — seized 330 Tycoon2FA domains in a single synchronized action. Within the first 24 to 48 hours, Tycoon2FA activity fell to roughly 25% of its pre-disruption volume.
The recovery was faster than most incident response practitioners would anticipate. Abnormal Security's May 2026 analysis confirmed that a rebuilt Tycoon2FA deployment appeared on newly registered, Russian-hosted infrastructure just 20 days after the seizure. More significant than the speed of recovery was the architectural hardening the operators performed in response. The rebuilt kit now features six layers of obfuscation, including a polymorphic Caesar+XOR cipher (a code-scrambling technique that continuously mutates the kit's bytecode so that traditional signature-based detection cannot produce a stable match) seeded by a linear congruential generator. Cloudflare — whose infrastructure the March takedown exploited as a kill-switch choke point — was replaced wholesale with BunnyCDN, directly patching the architectural weakness that law enforcement used.
Chart: Device-code phishing page detections surged 37.5x by April 4, 2026 — up from a 15x increase at the start of March — according to Push Security threat intelligence data.
Push Security's April 2026 threat intelligence report identified at least 11 distinct phishing kits now driving the broader surge alongside Tycoon2FA, following the commercial launch of EvilTokens on Telegram in mid-February 2026. Named kits in that analysis include VENOM, SHAREFILE, CLURE, LINKID, AUTHOV, DOCUPOLL, FLOW_TOKEN, and PAPRIKA. This is a critical security awareness inflection point for enterprise defenders: device-code phishing has been commoditized. It is no longer the exclusive province of nation-state actors or sophisticated criminal syndicates. The kits are on Telegram, priced for mid-tier criminal operators, and being deployed broadly against any organization running Microsoft 365.
Incident response teams should also account for a significant infrastructure fingerprint shift in Tycoon2FA's rebuilt platform. The operator token-polling servers now originate from AS45102 (Alibaba Cloud) and present Node.js user-agent strings — specifically 'node' and 'undici' — replacing the 'axios/1.x' signature documented in earlier Tycoon2FA analysis. This shift appears to have taken effect around April 10, 2026, spanning both the credential-relay and device-code attack variants. Detection rules and threat intelligence feeds built on the older Alibaba Cloud signatures need immediate review. Organizations that built compensating controls around the previous fingerprint may currently have blind spots they are unaware of.
The blast radius of a successful device-code phish is substantial. A single employee interaction yields a token covering Exchange Online, Microsoft Graph, and OneDrive for Business simultaneously — meaning email archives, file storage, and API-level access to downstream integrations are all exposed in a single event. Before the March 2026 takedown, Tycoon2FA infrastructure had touched accounts across nearly 100,000 organizations worldwide. Microsoft's own characterization of the risk is direct: device-code flow is "rarely used by customers, but frequently used by attackers." For data protection purposes, defenders must also recognize that Entra ID sign-in telemetry will log the attack as a successful authentication from a recognized Microsoft application — there is no obvious anomaly to investigate without additional behavioral detection layers.
Photo by Barbara Zandoval on Unsplash
The AI Angle
Behavioral AI-driven platforms have a structural advantage over rule-based security information and event management (SIEM) systems — tools that correlate log data against known patterns — when it comes to detecting device-code phishing. The attack produces no harvested credential, no spoofed login page, and no anomalous application consent request from a third-party app. Traditional signature matching has no surface to match against.
Abnormal Security's behavioral engine, which confirmed the rebuilt Tycoon2FA platform in early May 2026, uses communication-graph analysis to detect session behavior anomalies post-token-issuance — flagging when an authenticated session acts outside established user norms even when the authentication event itself looks entirely clean. Push Security's browser-native detection model monitors OAuth consent flows at the endpoint level, which is precisely why its threat intelligence documented the 37.5x surge well before perimeter tools registered the shift. For security teams evaluating detection capabilities for this threat pattern, both platforms represent the class of AI-assisted tooling built for the behavioral baseline approach that this attack requires. Connecting AI-layer detections to automated incident response workflows — so that an anomalous token session triggers immediate revocation — is the architecture that closes the gap between detection and containment.
What Should You Do? 3 Action Steps
Microsoft announced a managed Conditional Access policy targeting device authorization grant flow in February 2025 and has continued recommending it as the primary mitigation. In Entra ID, navigate to Conditional Access policies and locate the managed policy blocking device-code flow authentication. Enable it tenant-wide. If your environment has legitimate device-code use cases — certain shared-display systems or legacy integrations do use this protocol — scope narrow exceptions by specific service principal or device group rather than disabling the policy broadly. This is the single highest-signal, lowest-friction control available for this threat and reflects cybersecurity best practices for organizations that have not yet acted on the February 2025 guidance. Ship this control today.
The shift from 'axios/1.x' to Node.js 'node' and 'undici' user-agent strings — and from Cloudflare to BunnyCDN CDN infrastructure — means any detection rules or threat intelligence feeds built on the pre-March 2026 Tycoon2FA indicators of compromise (IOCs, the specific technical signatures associated with a known threat) may be producing false negatives right now. Pull updated IOC sets from eSentire's Threat Response Unit, Abnormal Security's May 2026 advisory, and Push Security's April 2026 device-code phishing report. Update SIEM detection logic to flag token-polling traffic from AS45102 (Alibaba Cloud) using the new user-agent strings. This is core incident response hygiene whenever a major phishing-as-a-service operator rebuilds after a takedown: the old signatures are the ones the attacker specifically engineered around. Cybersecurity best practices for threat intelligence management require treating post-takedown rebuilds as a new threat profile.
Standard phishing security awareness programs focus on identifying fake login pages and suspicious sender domains. Device-code phishing defeats that mental model entirely — the victim authenticates on the real Microsoft sign-in page, satisfies any MFA challenge legitimately, and generates no obviously suspicious activity. Security awareness updates for this threat should cover three concrete points: first, no internal IT process should ever require an employee to visit aka.ms/devicelogin and enter a code unless the employee personally initiated a device pairing; second, Trustifi click-tracking URLs in email messages do not guarantee legitimate sender intent and should be treated with the same scrutiny as any other redirecting link; third, any unexpected device-code prompt — regardless of how official it appears — should be treated as a potential compromise attempt and reported to the security team immediately without completing the code entry. Consider running a simulated device-code phishing exercise to establish a behavioral baseline before the next wave of campaigns reaches your users. Data protection in this environment starts with accurate threat mental models, not password hygiene alone.
Frequently Asked Questions
How does device-code phishing bypass Microsoft 365 multi-factor authentication?
Device-code phishing abuses the OAuth 2.0 device authorization grant protocol (RFC 8628) rather than stealing credentials. The attacker generates a legitimate device-code request using Microsoft's own infrastructure and presents the code to the victim, who is directed to authenticate at the real Microsoft sign-in portal — including completing whatever MFA challenge is active on the account. Once the victim approves, the attacker's polling server receives a valid access token covering Exchange Online, Microsoft Graph, and OneDrive for Business. Because MFA was satisfied on genuine Microsoft infrastructure, it was not bypassed in a technical sense — it was completed legitimately on the attacker's behalf. The attacker never sees a password or intercepts an MFA code; they simply receive the token that the completed authentication produced. This is why blocking device-code flow via Conditional Access, rather than strengthening MFA alone, is the correct mitigation for this specific attack pattern.
How can my organization protect Microsoft 365 accounts from Tycoon2FA phishing campaigns?
The highest-priority action is enabling Microsoft's managed Conditional Access policy blocking device-code flow in Entra ID, announced in February 2025. Beyond that, phishing-resistant MFA methods — FIDO2 hardware security keys or Windows Hello for Business — offer significantly stronger resistance to adversary-in-the-middle attacks than SMS codes or authenticator-app push approvals, because they are cryptographically bound to the legitimate domain and cannot be relayed. As part of broader cybersecurity best practices, organizations should also restrict OAuth application consent so that users cannot independently grant third-party applications access to Microsoft 365 data without administrator approval. This limits the blast radius of social-engineering attacks that attempt to abuse the consent grant flow rather than the device-code flow specifically. Finally, ensure that security awareness training covers the specific mechanics of device-code phishing, not just traditional credential-harvesting phishing, since the user experience is fundamentally different.
How can security teams detect a compromised Microsoft 365 account after a device-code phishing attack?
This is where the attack is most challenging. Entra ID sign-in logs will record a successful authentication attributed to Microsoft Authentication Broker (AppId: 29d9ed98-a469-4536-ade2-f981bc1d605e) — a recognized Microsoft first-party application — making the event appear routine without additional context. Incident response investigation should focus on three specific signals: authentication events where the protocol was device-code flow and the originating IP does not match the user's known device or location profile; token-refresh or API activity from AS45102 (Alibaba Cloud) IP ranges using Node.js 'node' or 'undici' user-agent strings (Tycoon2FA's current infrastructure fingerprint, active since approximately April 10, 2026); and unusual downstream activity against Exchange Online or OneDrive occurring shortly after a device-code authentication event. Behavioral AI detection platforms are better positioned to surface these post-compromise activity patterns than rule-based SIEMs, because the anomaly lies in session behavior rather than the authentication event itself.
Why did the Europol Tycoon2FA domain seizure in March 2026 not permanently shut down the operation?
Domain seizures are an effective short-term disruption tool — Tycoon2FA activity dropped to approximately 25% of prior levels in the 48 hours after the March 4, 2026 action — but phishing-as-a-service platforms are built for operational resilience. The operators retained the codebase, the client relationships, and the revenue model. Rebuilding on fresh Russian-hosted infrastructure, replacing Cloudflare with BunnyCDN to eliminate the kill-switch that law enforcement used, and adding six layers of code obfuscation are straightforward engineering responses for a profitable criminal operation. Abnormal Security's May 2026 analysis confirmed the new deployment was live within 20 days. Sustained data protection against this class of threat requires technical controls — particularly blocking device-code flow via Conditional Access — that function regardless of what infrastructure the threat actor operates from. Domain seizures reduce blast radius and disrupt operations; they are not a substitute for architectural controls on the identity provider side.
How do I audit whether device-code flow authentication is currently active in my Microsoft 365 tenant?
In Microsoft Entra ID, navigate to the Sign-in Logs section and filter by authentication protocol, selecting device-code flow. This surfaces any historical authentications in your tenant that used this method and reveals whether any users or service principals have active device-code sessions. Microsoft's Conditional Access reporting can also be queried for device authorization grant events across the tenant. For a programmatic audit, the Microsoft Graph API allows querying signInLogs with filters on the authenticationProtocol field. Run this audit before enabling the blocking Conditional Access policy to identify any legitimate device-code use cases — certain shared-display environments or legacy integrations may rely on this flow — so that narrow service-principal exceptions can be scoped rather than blocking a dependency silently. As part of cybersecurity best practices and routine threat intelligence review, this audit should be repeated quarterly once the policy is in place to ensure no new device-code dependencies have been introduced through shadow IT or vendor onboarding.
Disclaimer: This article is for informational purposes only and does not constitute professional security consulting advice. Always consult with a qualified cybersecurity professional for your specific needs.
Get NewsLens — All 19 Channels in One App
AI-powered news with action steps. Install free, works offline.
No comments:
Post a Comment