Start a project

← All posts

Tycoon2FA Adds Device-Code Phishing to Its Microsoft 365 Toolkit

· Dracode · security · microsoft · phishing
Close-up of hands typing on a laptop displaying cybersecurity interface graphics, lit in blue-purple light

Why Device-Code Phishing Breaks the Standard MFA Playbook

Tycoon2FA, one of the most widely distributed phishing-as-a-service kits targeting Microsoft 365, now includes device-code phishing — an attack vector that bypasses multi-factor authentication without touching the user’s credentials or spoofing a login page.

Device-code phishing abuses OAuth 2.0’s device authorization grant (RFC 8628), designed for devices that can’t easily open a browser — smart TVs, printers, CLI tools. In the legitimate flow, a device asks the authorization server for two codes: a device_code it keeps, and a user_code it displays. The user visits a fixed URL (for Microsoft: https://microsoft.com/devicelogin), enters the user code, and authenticates — completing MFA in the process. The device polls until authentication succeeds, then receives an access token.

The attack mirrors that flow exactly. The attacker generates the codes, pastes the user_code into a phishing email, and waits. When the victim visits the legitimate Microsoft URL, enters the code, and completes MFA, the attacker’s polling loop collects a valid access token and refresh token. The victim authenticated correctly. There was no fake login page. The URL they visited was real.

How Tycoon2FA Previously Operated

Tycoon2FA emerged publicly in late 2023 as an adversary-in-the-middle (AiTM) PhaaS kit. The original technique required a reverse proxy sitting between the victim and Microsoft’s authentication servers, capturing session cookies in real time. That approach has one meaningful weakness: it needs the victim to visit the attacker-controlled proxy URL, which makes the phishing link itself suspicious and scannable.

Device-code phishing removes that requirement entirely. The attacker never needs the victim to visit a malicious domain. The flow is asynchronous — the attacker initiates the session from their own machine, sends the user code over email, and lets the victim complete authentication on Microsoft’s own infrastructure. From a detection standpoint, the phishing email carries nothing more sinister than a real Microsoft URL and a short alphanumeric code.

Adding device-code support makes Tycoon2FA meaningfully harder to detect at every layer that previously caught it.

The Trustifi Evasion Layer

The second element of this update is tactically interesting in its own right: Tycoon2FA now routes its phishing links through Trustifi’s click-tracking infrastructure.

Trustifi is a legitimate email security vendor offering encrypted delivery, compliance tracking, and email analytics. Its tracking redirector is used by real organizations sending real email. Because Trustifi appears on most enterprise email gateways’ safe-sender lists — and because URL-reputation engines see a known security vendor rather than an attacker-controlled domain — phishing messages routed through Trustifi’s redirect chain survive filtering that would flag a raw malicious URL.

This is a recurring pattern in mature phishing operations: abuse a trusted platform’s redirect service (Google, Microsoft, legitimate SaaS vendors) so the visible link in the email passes automated scrutiny. Tycoon2FA has rotated through similar trusted redirectors before. Trustifi extends the rotation, and its security vendor branding makes it especially effective at defeating filters trained to evaluate sender context.

Who Is Exposed

Any organization running Microsoft 365 or Entra ID where the device code flow has not been explicitly restricted — which is most organizations. The flow is permitted by default for all users and all registered applications unless a Conditional Access policy blocks it.

The attack requires no prior knowledge of the victim’s credentials, no malware delivery, and no privileged access to your environment. A single successful exchange yields tokens scoped to whatever the registered application requested — typically mail read and write, OneDrive, Teams, calendar access — along with a refresh token valid for days or weeks depending on your tenant’s token lifetime configuration.

Executives and finance teams are the highest-value targets. Employees with delegated inbox access, broad SharePoint permissions, or integrations into business-critical systems are a close second.

How to Block Device-Code Phishing

Disable the flow in Conditional Access if your organization doesn’t need it. In the Entra portal, navigate to Conditional Access → Authentication flows and create a policy that blocks device code flow for all users, or restricts it to a specific group that genuinely requires it. If your organization doesn’t use printers, IoT sensors, or CLI tooling that authenticates via this flow, blocking it entirely has zero impact on normal users.

Audit sign-in logs for device code activity. In Entra’s sign-in logs, filter by Authentication protocol = Device code. Any entries from unexpected users, IP ranges, or geographies warrant immediate investigation and token revocation.

Update your phishing training to address this technique specifically. Standard anti-phishing training focuses on not entering passwords on suspicious-looking pages. That advice doesn’t apply here — the page the victim visits is genuine. The specific message to convey: Microsoft will never email you asking you to visit microsoft.com/devicelogin and enter a code unprompted. That instruction in an email is always an attack.

Review refresh token lifetime policies. Tighter Continuous Access Evaluation settings and token lifetime policies reduce the window an attacker has once they’ve captured a token. Shorter-lived tokens don’t prevent the initial compromise but significantly limit the blast radius.

What We’re Watching

Device-code phishing is not new — Microsoft and CISA have both issued advisories on the technique. What is new is seeing it packaged into a maintained, commodity phishing kit that operators can rent. Tycoon2FA adding it signals that the technique has crossed from targeted nation-state use into general availability. Expect more PhaaS kits to ship device-code modules in the coming months.

The Trustifi redirect abuse is narrower in scope but reflects the same structural problem: defenders have trained their tools to trust certain infrastructure, and attackers have noticed. Defending against redirect-chain evasion requires link-following in your email security stack — evaluating the final destination, not just the visible domain — rather than surface-level reputation checks.

For any team running Microsoft 365, auditing Conditional Access authentication flow policies takes under an hour and removes a default-on attack surface with no user-facing tradeoff. If you want to think through your team’s security configuration as you’re scaling, get in touch.

Sources

  1. Tycoon2FA hijacks Microsoft 365 accounts via device-code phishing — BleepingComputer, May 17 2026
  2. OAuth 2.0 device authorization grant (RFC 8628) — IETF
  3. Conditional Access: Authentication flows — Microsoft Learn
  4. Microsoft identity platform and the OAuth 2.0 device code flow — Microsoft Learn