Tycoon2FA Expands to Device-Code Phishing Targeting Microsoft 365

May 18, 2026 at 02:05 PM

•

1 min read

Tycoon2FA Expands to Device-Code Phishing Targeting Microsoft 365 — Photo: BleepingComputer

TL;DR Summary

A new Tycoon2FA variant uses device-code phishing via a Trustifi click-tracking URL to hijack Microsoft 365 accounts by steering victims to the legitimate device-login flow at microsoft.com/devicelogin, granting attackers OAuth tokens and access to email, calendar, and files. After a takedown, the kit resurfaced with obfuscation and new delivery chains, prompting defenders to disable the device-code flow when not needed, restrict OAuth permissions, enable Continuous Access Evaluation, and monitor Entra logs for deviceCode activity and related IoCs.

Topics:technology #device-code-phishing #microsoft-365 #oauth-device-login #security #trustifi #tycoon2fa

Share this article

Tycoon2FA hijacks Microsoft 365 accounts via device-code phishing BleepingComputer
Device Code Phishing is an Evolution in Identity Takeover Proofpoint
Hackers Abuse OAuth Device Authorization Flow to Steal Microsoft 365 Tokens CyberSecurityNews
Tycoon 2FA Adopts OAuth Device Code Attacks In MFA Bypass Campaign cyberpress.org
Tycoon 2FA Returns With OAuth-Based Phishing to Bypass Microsoft 365 Security Petri IT Knowledgebase

Reading Insights

Total Reads

Unique Readers

Time Saved

4 min

vs 5 min read

Condensed

91%

878 → 77 words

Want the full story? Read the original article

Read on BleepingComputer

JavaScript Required

tl;dr daily news requires JavaScript to be enabled. Please enable JavaScript in your browser settings.

Related Sources

Reading Insights