Beyond Credentials: How Tycoon 2FA is Weaponizing Microsoft’s OAuth Device Flow

In late April 2026, a sophisticated new phishing campaign surfaced, signaling a dangerous evolution in the capabilities of the threat actors behind the Tycoon 2FA Phishing-as-a-Service (PhaaS) kit. This pivot marks a transition from traditional credential harvesting toward more insidious identity-based exploitation.

The emergence of this campaign is particularly noteworthy given the recent global law enforcement action. Just weeks prior, a massive coordinated takedown led by Microsoft and Europol successfully disrupted much of the original Tycoon 2FA infrastructure. However, the threat actors have demonstrated remarkable resilience, rapidly adapting their existing codebase to implement a stealthier, more advanced methodology.

The attack vector begins with a social engineering hook: a phishing email masquerading as a vendor invoice reminder. To evade simple URL filtering, the attackers utilize a multi-stage redirection chain. Victims are lured through a Trustifi click-tracking link, which then routes through a Cloudflare Workers domain to mask the final destination and deliver the malicious payload.

Crucially, this campaign does not attempt to replicate a fake Microsoft login page—a tactic that is increasingly easy for modern browsers and security suites to detect. Instead, it leverages a legitimate Microsoft service: the OAuth Device Authorization Grant flow via microsoft.com/devicelogin.

According to analysis by eSentire’s Threat Response Unit (TRU), attackers are now abusing this specific OAuth flow to hijack Microsoft 365 accounts without ever needing to see a username or a password. The victim is presented with a “user code” on a phishing site; once they enter this code into the legitimate Microsoft portal, they aren’t logging themselves in—they are authorizing an attacker-controlled device.

In technical terms, the victim is not surrendering their credentials; they are inadvertently granting them access.

The Sophisticated Four-Layer Delivery Chain

The TRU identified a highly structured, four-layer delivery architecture that mirrors the complexity of previous Tycoon 2FA operations:

  • Layer 1: Payload Decryption. The kit uses obfuscated JavaScript and AES-GCM encryption to decrypt a hidden payload directly within the victim’s browser environment.
  • Layer 2: Anti-Analysis & Evasion. This layer is designed to frustrate researchers. It performs aggressive sandbox detection, utilizes debugger traps, and implements ASN-based filtering against over 230 known security vendor blocks.
  • Layer 3: Traffic Routing. To avoid detection by automated scanners, the kit displays a fake Microsoft CAPTCHA labeled “HumanCheck.” It then performs a “Check Domain” query to determine whether to serve the phishing lure or a benign, “clean” decoy site.
  • Layer 4: The OAuth Lure. The final layer presents the device-code phishing interface, guiding the user through the deceptive authentication process.
230-entry ASN owner blocklist hardcoded in the Layer 2 controller script (Source : eSentire).
A 230-entry ASN owner blocklist is hardcoded into the Layer 2 controller script to evade security researchers (Source: eSentire).

Despite the tactical shift, the kit maintains several recognizable “fingerprints.” These include the use of CryptoJS with AES-CBC encryption utilizing a hardcoded key (1234567890123456), consistent anti-debugging logic, and the established “Check Domain” architecture.

To ensure the victim feels secure, the attackers impersonate the Microsoft Authentication Broker, a legitimate first-party application (AppId: 29d9ed98-a469-4536-ade2-f981bc1d605e). Because this AppID is trusted by the Microsoft ecosystem, the resulting consent prompt appears entirely legitimate, bypassing most standard OAuth security warnings.

The HumanCheck CAPTCHA widget presented to the victim after passing Layer 2 anti-analysis checks (Source : eSentire).
The “HumanCheck” CAPTCHA widget serves as a psychological layer of legitimacy (Source: eSentire).

Once the user grants consent, the attacker is immediately issued OAuth access and refresh tokens. This grants persistent access to critical services, including Exchange Online, Microsoft Graph, and OneDrive. A single successful interaction can effectively compromise the entire Microsoft 365 tenant.

Telemetry indicates that the attacker infrastructure is currently being hosted on Alibaba Cloud (AS45102). Interestingly, the automation used in these attacks has evolved; instead of the previously observed axios-based activity, attackers are now using Node.js tools with node and undici user-agent strings.

The MFA Paradox

It is a common misconception that Multi-Factor Authentication (MFA) is bypassed in this scenario. In reality, the attack exploits the fundamental logic of the OAuth device code flow. Because the authentication is occurring on the actual Microsoft platform, the user does successfully complete their MFA. However, they are unknowingly performing that MFA for a session owned by the attacker.

Sign In to your account window with Microsoft Authentication Broker context (Source : eSentire).
The legitimate Microsoft Authentication Broker context used to deceive the victim (Source: eSentire).

A user might believe they are simply authorizing a new device to check their voicemail, when in fact, they are handing over the keys to their entire corporate identity.

Defense and Mitigation Strategies

To counter this evolving threat, security operations centers (SOCs) should pivot their focus from simple credential monitoring to robust identity and token telemetry. We recommend the following mitigations:

  • Restrict Device Code Flows: Where possible, disable or strictly limit the use of OAuth device code flows for non-administrative users.
  • Enforce Strict Consent Policies: Implement policies that prevent users from consenting to unverified or third-party applications without administrative approval.
  • Deploy Continuous Access Evaluation (CAE): Utilize Microsoft’s CAE to enable near real-time token revocation when suspicious activity is detected.
  • Enhanced Telemetry Monitoring: Closely monitor Entra ID (formerly Azure AD) logs for unusual device-code authentication events and suspicious user-agents such as node or undici.

This campaign serves as a stark reminder: as defenses against credential theft improve, attackers will continue to exploit the underlying trust mechanisms of the identity providers themselves. Visibility into token-based activity is no longer optional; it is a necessity.

Related Articles

Back to top button