By rssfeeds-admin .webp?ssl=1 "Tycoon 2FA Operators Adopt OAuth Device Code Phishing to Bypass MFA")
By combining their well-known phishing infrastructure with OAuth Device Code abuse, they can now steal access to Microsoft 365 accounts without ever capturing a single password.
The Tycoon 2FA phishing kit first gained attention as a Phishing-as-a-Service (PhaaS) platform. It was designed to help attackers bypass multi-factor authentication by relaying credentials through a middle layer.
Over the past year, the operators have continued evolving their methods and refining their delivery chains to stay ahead of detection tools and vendor blocklists. Even after a major disruption in March 2026, the group refused to slow down.
Analysts at eSentire said in a report shared with Cyber Security News (CSN) that the campaign was identified in late April 2026 by their Threat Response Unit (TRU).
The eSentire team found that Tycoon 2FA operators had kept their core kit nearly intact following the March 2026 coalition takedown led by Microsoft and Europol, only this time they layered in an OAuth device code flow to harvest tokens instead of credentials.
The attack starts with a convincing lure email that contains a click-tracking link from Trustifi, a legitimate enterprise email security platform.
Trustifi itself was not compromised. Threat actors are simply exploiting the platform’s clean reputation to slip past email gateways and route victims through a chain of malicious redirects without raising early alarms.
Once clicked, the link moves through multiple layers before reaching the final payload. The delivery chain uses encrypted payloads, anti-analysis checks, a fake Microsoft CAPTCHA page, and a vendor blocklist covering over 230 organizations. This is designed to ensure only real victims reach the last stage of the attack.
OAuth Device Code Phishing
At the heart of this campaign is a clever abuse of the OAuth 2.0 Device Authorization Grant, a legitimate protocol built for devices like smart TVs that cannot easily handle traditional login flows.
In the normal flow, a device generates a short code, and the user enters it at a trusted website to grant access. Tycoon 2FA operators have now weaponized this process entirely.
In this attack, victims are shown a Microsoft 365 voicemail notification lure. They are instructed to copy a user code and visit the real Microsoft device login page at microsoft.com/devicelogin.
Since the victim is interacting with genuine Microsoft infrastructure, MFA is triggered and completed normally.
What the victim does not realize is that by approving the prompt, they are granting access tokens to an attacker-controlled device running in the background. The phish does not bypass MFA but changes what MFA is authorizing.
A Kit That Survived Takedown Intact
One of the most striking findings in the eSentire report is how little the kit has changed despite major law enforcement disruption.
The same AES encryption key, the same anti-debug timing trap, the same Check Domain grammar, and the same backend route patterns from 2025 are still present in this 2026 campaign.
This level of continuity shows the operators backed up their codebase and resumed operations without skipping a beat.
Post-compromise analysis of Entra sign-in logs revealed that operator activity came from Node.js automation tools using the user-agent strings “node” and “undici.”
These are strong indicators of a backend polling client and highly unusual in any normal production environment.
Defenders should treat these user-agents appearing against the Microsoft Authentication Broker AppId as an immediate red flag.
Operator infrastructure has also shifted toward Alibaba Cloud, specifically AS45102, as part of a broader hosting rotation after previous providers faced takedown pressure.
eSentire’s Threat Response Unit recommends that organizations implement Microsoft Entra Conditional Access policies to block OAuth Device Code flows for regular end-users.
Admins should also restrict user consent for OAuth apps and require admin approval for all third-party application access.
Enabling Continuous Access Evaluation ensures token revocation propagates quickly after any confirmed incident. Teams should also hunt for the specific KQL queries and URLscan patterns published by eSentire to identify related activity across their environments.
Indicators of Compromise (IoCs):-
| Type | Indicator | Description |
|---|---|---|
| URL | hxxps[://]events[.]trustifi[.]com/api/o/v1/click/69f218d9bd8f28639a2460c7/… | Trustifi click-tracking lure URL used for reputation laundering; decoded ObjectId timestamps to April 29, 2026 |
| URL | hxxps[://]cookies[.]28gholland[.]workers[.]dev/ | Cloudflare Workers throwaway subdomain; actual delivery point for the malicious payload |
| URL | hxxps[://]shivacrio[.]com/bytecore~tx1j8 | Tycoon 2FA “Check Domain” used to gate victims and filter security researchers in real time |
| URL | hxxps[://]fijothi[.]com/dhkjCVBfLnfbhFjpYPoDKNMmLIQjNkGLMQPMQUBJFWELKIYHJHWDIESXVUZHHJNFTNMW<random> | Operator C2 backend domain used for AES-CBC encrypted session communication |
| OAuth AppId | 29d9ed98-a469-4536-ade2-f981bc1d605e | Microsoft Authentication Broker AppId impersonated during the OAuth Device Code consent flow |
| OAuth AppId | 4765445b-32c6-49b0-83e6-1d93765276ca | OfficeHome AppId; primary AppId for the credential-relay kit variant (per TRU April 2026 reporting) |
| IP Address | 47.90.180.205 | Alibaba Cloud (AS45102) operator IP observed during the token-acquisition phase |
| IP Address | 47.252.11.99 | Alibaba Cloud (AS45102) operator IP observed during sustained refresh-token reuse phase |
| User-Agent | node | Node.js bare user-agent; operator polling client signature during initial token acquisition |
| User-Agent | undici | Node.js native HTTP client user-agent; operator backend signature during sustained refresh-token reuse |
| ASN | AS45102 | Alibaba (US) Technology Co., Ltd.; active operator-side ASN observed since approximately April 10, 2026 |
| Encryption Key | 1234567890123456 | Hardcoded AES-CBC key and IV used in CryptoJS encryption layer; consistent kit fingerprint across campaigns |
| MongoDB ObjectId | 69f218d9bd8f28639a2460c7 | Object ID embedded in lure URL path; decodes to April 29, 2026, 14:42:33 UTC |
Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
The post Tycoon 2FA Operators Adopt OAuth Device Code Phishing to Bypass MFA appeared first on Cyber Security News.
Discover more from RSS Feeds Cloud
Subscribe to get the latest posts sent to your email.