Tycoon2FA hijacks Microsoft 365 accounts via device-code phishing

Tycoon2FA, an evolving phishing kit, now enables device-code phishing attacks to compromise Microsoft 365 accounts. The threat actors exploit Trustifi click-tracking URLs to conduct their campaigns, leveraging the legitimate service to bypass security controls and increase the credibility of malicious messages.

Device-code phishing represents a sophisticated attack vector that circumvents traditional multi-factor authentication. Instead of stealing passwords directly, attackers trick users into authorizing device codes through Microsoft's authentication flow. Victims visit a phishing page, enter their credentials, and then receive a prompt to approve a device code on their legitimate Microsoft account. Many users comply without recognizing the attack, granting threat actors full account access even when MFA is enabled.

Tycoon2FA's integration of Trustifi click-tracking represents a particularly dangerous evolution. Trustifi operates as a legitimate email security and click-tracking service. Attackers abuse its infrastructure to create seemingly authentic links within phishing emails. When users click these links, they appear to come from a trusted service, significantly lowering suspicion. This tactic also complicates detection, as security systems often whitelist Trustifi URLs.

The kit's expanded capabilities suggest active development and refinement by its operators. Tycoon2FA previously focused on credential harvesting through traditional phishing pages. The addition of device-code phishing and Trustifi integration indicates threat actors now target organizations with stronger security postures that implement MFA.

Microsoft 365 compromises carry severe consequences. Attackers gain access to email, cloud storage, and integrated services. They can conduct lateral movement within organizations, steal sensitive data, establish persistence, and launch insider attacks. Organizations using Microsoft 365 without conditional access policies or additional verification steps face elevated risk.

Organizations should implement conditional access policies in Microsoft Entra ID to flag unusual device code authentication requests.