Tycoon2FA the phishing of device code robs tokens OAuth and turns the MFA into a permanent access door

The recovery and evolution of Tycoon2FA - a phishing kit specialized in avoiding authentication - confirms a dangerous trend: criminal operations not only resist police actions, but reuse and refine techniques to exploit legitimate authentication flows. Recent research shows that its operators have added support for the so-called "device code" attack and that they are taking advantage of legitimate follow-up links, such as those of Trust, to redirect victims to delivery chains in the browser that end up authorizing devices controlled by the attackers in Microsoft 365 accounts.

The vector is simple in appearance but effective in practice: the victim receives an email with a follow-up link that passes through legitimate services and several layers of opuscado JavaScript; when you reach the fraudulent page you are asked to copy a device code and paste it into microsoft.com / devilutin, the real Microsoft screen. When the victim completes the flow, Microsoft emits tokens OAuth that the attacker can use to access mail, calendar and cloud storage without the need to steal traditional credentials or break the MFA locally. For an attacker this amounts to persistent and difficult access to detect.

This method has increased in recent months: security firms have reported an exponential increase in device- code phishing campaigns and a proliferation of PhaaS kits and services (Physing- as- a- Service) that automate the campaign, reducing the technical barrier for less specialized actors. An analysis of the increase in this technique can be found in Proofpoint's report on the evolution of the vice-code phishing Here., while the post-takedown reconstruction and hardening of Tycoon2FA was documented by Abnormal Security in this report.

A relevant feature of the kit is its ability to camouflage in front of researchers and automated tools: it detects analysis environments such as Selenium, Playwright or burpsuite, blocks ranges associated with cloud suppliers and security services, and redirects all suspicious traffic to legitimate pages to make the investigation difficult. This capacity for evasion increases the cost and complexity of detection, and explains why operators return to activity after police interruption measures.

For security teams and identity managers, the implications are clear: controls focused exclusively on the protection of credentials are no longer sufficient. It is essential to review and tighten OAuth consent policies, limit the use of device flow when it is not necessary and force administrative reviews for third-party applications. Microsoft offers capabilities such as Continuous Access Evaluation (CAE) and conditional access policies that help mitigate this type of abuse; its adoption should be accelerated in corporate environments.

In parallel to configuration changes, there are concrete operational measures: monitor the input ID (before Azure AD) logs for authentication via device _ code, track the use of the "Microsoft Authentication Broker" and unusual signals such as Node.js' User-Agents, and audit registered devices and application consents. When suspicious activity is detected, it is appropriate to revoke tokens and sessions, remove unrecognized devices and force a reconsent of applications with less privilege.

The re-use of legitimate services (e.g. mail security platform tracking links) as redirection vectors poses another challenge: the providers of such tools can end up being used without their knowledge or by committed customers. If your organization detects malicious use of a tracking or delivery provider, contact the supplier immediately and share evidence; coordination between victims, suppliers and response equipment accelerates mitigation and possible removal of malicious content.

For end-users, prevention goes through education and prudence: distrust unexpected emails that ask to copy codes and paste them on another page, confirm the veracity of invoices or notices by contacting the issuer through independent channels, and prioritize the use of FIDO2 keys or MFA methods that do not depend on copying / hitting codes where possible. Although MFA remains crucial, this type of attack shows that not all second factor factors offer the same protection against malicious OAuth consent schemes.

The teams that need IOC and technical references for detection and response can consult the resources published by the researchers; eSentire, who investigated the Tycoon2FA chain and its new layers of evasion, published details and technical recommendations in its analysis available here and there are lists of indicators published in public repositories that facilitate integration into detection tools and automatic blockages. Adopting these signals, adjusting consent policies and strengthening identity telemetry are urgent steps to reduce the impact of these campaigns.

Ultimately, the lesson is that the war against modern phishing requires a combination of technical improvement, identity governance and sectoral cooperation: without stricter controls over OAuth and without a coordinated response between suppliers and organizations, kits such as Tycoon2FA will continue to find ways to recycle legitimate infrastructure for fraud.