Despite an international law enforcement operation disrupting the **Tycoon2FA** phishing platform in March, the malicious operation was rebuilt on new infrastructure and quickly returned to regular activity levels. Earlier this month, **Abnormal Security** confirmed that **Tycoon2FA** had rebounded to normal operations and even added new obfuscation layers to strengthen its resilience against new disruption attempts. In late April, **Tycoon2FA** was observed in a campaign that leveraged the OAuth 2.0 device authorization grant flows to compromise **Microsoft 365** accounts, indicating that the operator continues to develop the kit. Device code phishing is a type of attack in which threat actors send a device authorization request to the target service’s provider and forward the generated code to the victim, tricking them into entering it on the service’s legitimate login page. Doing so authorizes the attacker to register a rogue device with the victim’s **Microsoft 365** account, giving them unrestricted access to the victim's data and services, including email, calendar, and cloud file storage. **Push Security** recently warned that this type of attack has increased significantly this year, supported by numerous phishing-as-a-service (PhaaS) platforms and private kits. A more recent report by **Proofpoint** records a similar surge in the use of the tactic. ### Tycoon2FA Adds Device-Code Phishing According to new research from managed detection and response company **eSentire**, **Tycoon2FA** confirms that device code phishing has become highly popular among cybercriminals. “The attack begins when a victim clicks a **Trustifi** click-tracking URL in a lure email and culminates in the victim unknowingly granting OAuth tokens to an attacker-controlled device through **Microsoft's** legitimate device-login flow at microsoft.com/devicelogin,” explains **eSentire**. “Connecting those two endpoints is a four-layer in-browser delivery chain whose **Tycoon 2FA** tradecraft is virtually unchanged from the credential-relay variant TRU documented in April 2025 and the post-takedown variant documented in April 2026.” **Trustifi** is a legitimate email security platform that provides a range of tools integrated into various email services, including those from **Microsoft** and **Google**. However, **eSentire** does not know how the attackers came to use **Trustifi**. According to the researchers, the attack uses an invoice-themed phishing email containing a **Trustifi** tracking URL that redirects through **Trustifi**, **Cloudflare Workers**, and several obfuscated JavaScript layers, landing the victim on a fake **Microsoft** CAPTCHA page. The phishing page retrieves a **Microsoft** OAuth device code from the attacker's backend and instructs the victim to copy and paste it to ‘microsoft.com/devicelogin,’ after which the victim completes multi-factor authentication (MFA) on their end. After this step, **Microsoft** issues OAuth access and refresh tokens to the attacker-controlled device.  *Source: eSentire* The **Tycoon2FA** phishing kit includes extensive protection against researchers and automated scanning, detecting Selenium, Puppeteer, Playwright, Burp Suite, blocking security vendors, VPNs, sandboxes, AI crawlers, and cloud providers, and using debugger timing traps. Requests from devices indicating an analysis environment are automatically redirected to a legitimate **Microsoft** page, **eSentire** says. The researchers have found that the kit’s blocklist currently contains 230 vendor names and is constantly updated. **eSentire** recommends disabling the OAuth device code flow when not needed, restricting OAuth consent permissions, requiring admin approval for third-party apps, enabling Continuous Access Evaluation (CAE), and enforcing compliant device access policies. Additionally, the researchers recommend monitoring Entra logs for deviceCode authentication, **Microsoft** Authentication Broker usage, and Node.js user agents. **eSentire** has published a set of [indicators of compromise](http://github.com/eSentire/iocs/blob/main/Tycoon2FA/Tycoon2fa-iocs-03-23-2026.txt) (IoCs) for the latest **Tycoon2FA** attacks to help defenders protect their environments.