Tycoon2FA Phishing Kit Hijacks Microsoft 365 Accounts via OAuth Device‑Code Flow
What Happened — The Tycoon2FA phishing kit has been upgraded to abuse Microsoft’s OAuth 2.0 device‑authorization grant. By sending victims a Trustifi‑tracked invoice‑style lure, the kit redirects the user through a multi‑layered JavaScript chain to a fake Microsoft CAPTCHA page that captures a device code. When the victim enters the code on Microsoft’s legitimate device‑login portal, the attacker registers a rogue device and gains unrestricted access to the victim’s Microsoft 365 data (email, calendar, OneDrive, Teams, etc.).
Why It Matters for TPRM —
- Credential‑only attacks can bypass traditional password‑based MFA, exposing downstream SaaS services.
- The kit’s rapid rebuild after a law‑enforcement takedown shows high resilience and a growing “phishing‑as‑a‑service” ecosystem.
- Compromise of a single Microsoft 365 tenant can cascade to partner ecosystems, supply‑chain vendors, and shared collaboration tools.
Who Is Affected — Enterprises that rely on Microsoft 365 for email, collaboration, and file storage across all verticals (finance, healthcare, education, government, etc.).
Recommended Actions —
- Review and tighten OAuth device‑code grant permissions; disable if not required.
- Enforce conditional access policies that block unknown device registrations.
- Deploy anti‑phishing training that highlights “device‑code” lures and verify URLs before clicking.
- Monitor for anomalous device registrations in Azure AD sign‑in logs.
Technical Notes — Attack vector: phishing (device‑code grant) → Trustifi click‑tracking URL → Cloudflare Workers → obfuscated JavaScript → fake Microsoft CAPTCHA → OAuth device code capture. No known CVE; the threat leverages legitimate Microsoft authentication flow. Data types at risk: email, calendar entries, Teams chats, SharePoint/OneDrive files. Source: BleepingComputer