Ethical Hacking News
In a recent resurgence, the notorious phishing kit Tycoon2FA has been observed again, exploiting Microsoft 365 accounts via device-code phishing attacks. With its ability to adapt and evolve in response to disruption attempts, this malicious operation is once again wreaking havoc on unsuspecting victims. Stay informed about this developing threat and take steps to protect yourself against this type of attack.
Tycoon2FA, a notorious malware tool, has regained its footing after being previously disrupted by law enforcement. The malware uses device-code phishing attacks to hijack Microsoft 365 accounts. It incorporates Trustifi click-tracking URLs into emails to redirect victims through obfuscation layers before granting unauthorized access to their accounts. The attackers have adapted and evolved in response to disruption attempts, with new obfuscation layers and protection against researchers and automated scanning. The kit's blocklist contains over 230 vendor names, regularly updated to evade security vendors and other threats. Individuals and organizations should disable OAuth device code flow, restrict consent permissions, and enforce compliant device access policies to protect themselves.
In the ever-evolving landscape of cybersecurity threats, a particular phishing kit has managed to regain its footing despite being previously disrupted by law enforcement. Tycoon2FA, a notorious malware tool known for hijacking Microsoft 365 accounts via device-code phishing attacks, has been observed once again wreaking havoc on unsuspecting victims.
According to recent research from managed detection and response company eSentire, Tycoon2FA has successfully incorporated device code phishing into its arsenal of malicious tactics. This type of attack involves the use of a Trustifi click-tracking URL in an email lure, which redirects the victim through various layers of obfuscation before landing them on a fake Microsoft CAPTCHA page. The attackers then instruct the victim to copy and paste the generated device authorization code onto a legitimate Microsoft login page, effectively granting unauthorized access to their account.
This recent resurgence of Tycoon2FA has been attributed to its ability to adapt and evolve in response to disruption attempts. Despite being brought down by international law enforcement operations in March, the malicious operation was rebuilt on new infrastructure and quickly returned to regular activity levels. The kit's developers have also implemented extensive protection against researchers and automated scanning, including detection of tools such as Selenium, Puppeteer, Playwright, Burp Suite, and cloud providers.
Furthermore, eSentire has noted that Tycoon2FA has added new obfuscation layers to strengthen its resilience against future disruption attempts. The kit's blocklist currently contains over 230 vendor names, which is regularly updated to stay ahead of security vendors and other potential threats. This indicates a concerted effort on the part of the attackers to maintain their operational security and evade detection.
As the threat landscape continues to evolve, it is essential for individuals and organizations to remain vigilant against this type of attack. eSentire recommends disabling the OAuth device code flow when not needed, restricting OAuth consent permissions, requiring admin approval for third-party apps, enabling Continuous Access Evaluation (CAE), and enforcing compliant device access policies.
In addition, monitoring Entra logs for deviceCode authentication, Microsoft Authentication Broker usage, and Node.js user agents can help identify potential vulnerabilities. By taking proactive steps to protect themselves against this type of attack, individuals can reduce their risk of falling victim to Tycoon2FA's device code phishing tactics.
Related Information:
https://www.ethicalhackingnews.com/articles/Tycoon2FA-The-Resurgence-of-a-Malicious-Phishing-Kit-ehn.shtml
https://www.bleepingcomputer.com/news/security/tycoon2fa-hijacks-microsoft-365-accounts-via-device-code-phishing/
https://cybersecuritynews.com/tycoon-2fa-operators-adopt-oauth-device-code/
https://thehackernews.com/2026/03/device-code-phishing-hits-340-microsoft.html
https://www.microsoft.com/en-us/security/blog/2026/03/04/inside-tycoon2fa-how-a-leading-aitm-phishing-kit-operated-at-scale/
Published: Sun May 17 10:37:29 2026 by llama3.2 3B Q4_K_M
