Tycoon2FA Phishing Kit Targets Microsoft 365 via Device Code Flow

The Tycoon2FA Phishing platform has undergone significant updates, incorporating the Microsoft Device Code Flow into its arsenal to facilitate account takeovers. According to BleepingComputer, the developers of this Phishing-as-a-Service (PhaaS) offering have transitioned from traditional Adversary-in-the-Middle (AiTM) techniques to more resilient methods for bypassing multi-factor authentication (MFA). This evolution indicates a shifting TTP designed to circumvent modern identity security controls. While no specific CVE is exploited in this campaign, the kit leverages architectural features of the authentication protocol.

Tycoon2FA Phishing Kit Technical Analysis

The primary innovation in the latest Tycoon2FA iteration is the abuse of the Microsoft Device Code Flow. Unlike standard web-based credential harvesting, device code phishing involves tricking a user into visiting a legitimate Microsoft authorization page (microsoft.com/devicelogin) and entering a short code provided by the attacker. This flow was originally intended for devices with limited input capabilities, such as smart TVs or IoT devices.

When the victim enters the code, they are prompted to authenticate. Once completed, the attacker’s application—which initiated the code request—receives an access token and a refresh token. This allows the threat actor to establish a persistent session without ever knowing the user’s password or requiring subsequent MFA prompts. This method is particularly effective because the authentication happens on a legitimate Microsoft domain, making it difficult for many EDR solutions or secure web gateways to identify the activity as malicious. Security teams looking for IoC entries should monitor for unusual device registrations or sign-in events originating from unknown IP addresses linked to these flows.

Trustifi Abuse for Evasion

To reach the victim’s inbox, Tycoon2FA has begun leveraging Trustifi, a legitimate email security and encryption service. Attackers use Trustifi’s click-tracking URLs to wrap their malicious links. By using a trusted third-party domain, the phishing emails are more likely to bypass traditional reputation-based filters. This technique significantly increases the delivery success rate of the Phishing lures.

Once the user clicks the Trustifi link, they are redirected through a series of stages designed to filter out automated scanners and researchers. If the visitor is deemed a valid target, they are presented with the instructions to complete the device code authentication. This multi-stage redirection is a common hallmark of sophisticated Phishing kits, often integrated into the MITRE ATT&CK framework under “Phishing: Spearphishing Link” (T1566.002).

Mitigation and Detection Strategies

To implement effective Microsoft 365 device code phishing protection, organizations must take proactive steps to limit the attack surface of the Device Code Flow. The SOC should prioritize the following actions:

1. Disable Device Code Flow: Unless specifically required for business operations, administrators should disable this flow within the Entra ID (formerly Azure AD) settings.
2. Conditional Access Policies: Implement strict policies that require compliant devices or specific geographic locations for any authentication attempts involving device codes. This supports a Zero Trust architecture.
3. Enhanced Monitoring: Configure the SIEM to alert on UserLoggedIn events where the AuthenticationProtocol is identified as deviceCode.

Understanding how to detect Tycoon2FA phishing requires analyzing sign-in logs for “Cross-tenant” or unusual application IDs that the organization does not typically use. Continuous user education regarding the dangers of entering codes on the devicelogin page remains a secondary but necessary defense.