Last updated: July 5, 2026 at 9:01 AM UTC
All 557 Vulnerability 199 Breach 106 Threat 245 Defense 7
Tag: tycoon2fa (1 article)Clear

Tycoon2FA pivots to OAuth device-code phishing - lures Microsoft 365 users to legitimate microsoft.com/devicelogin

The Tycoon 2FA phishing-as-a-service kit, which Microsoft, Europol, Cloudflare and others tried to dismantle in March 2026, is back and has switched tactics. Instead of relaying credentials and MFA codes through a fake login page, operators now send victims to Microsoft's legitimate device-login page at microsoft.com/devicelogin and ask them to enter a code from the lure email. That single consent grants the attacker OAuth tokens for the victim's Exchange Online, OneDrive, and SharePoint through Microsoft's own Authentication Broker app, so it looks normal in Entra logs. eSentire spotted the late-April campaign and published IoCs, including AS45102 (Alibaba Cloud) operator infrastructure.

Check
Search Entra sign-in logs for Microsoft Authentication Broker consents (AppId 29d9ed98-a469-4536-ade2-f981bc1d605e) from unfamiliar IPs, especially AS45102 (Alibaba Cloud) with node/undici user agents.
Affected
Microsoft 365 tenants without Conditional Access policies restricting the OAuth Device Authorization Grant flow. The initial lure abuses legitimate Trustifi click-tracking URLs.
Fix
Block the Device Code Flow in Conditional Access for users who do not need it (most knowledge workers do not). Review eSentire IoCs and revoke matching sessions and refresh tokens.