Tycoon2FA PhaaS post-March-2026-takedown — OAuth Device Authorization Grant abuse on Microsoft 365

campaign · item:tycoon2fa-oauth-device-authorization-grant-microsoft-365-post-takedown

Coverage timeline

first 2026-05-18 → last 2026-05-18

Briefs

1 distinct

Sources cited

4 hosts

Sections touched

action_items, deep_dive, tldr

Co-occurring entities

no co-occurrence

2026-05-183 appearances2026-05-18

Story timeline

2026-05-18CTI Daily Brief — 2026-05-18
tldrTL;DR bullet — kit rebuilt post-March-2026 takedown; pivots AiTM → OAuth Device Authorization Grant abuse; BunnyCDN.
2026-05-18CTI Daily Brief — 2026-05-18
deep_diveDeep dive — Tycoon2FA OAuth Device Authorization Grant abuse on Microsoft 365. Four-layer browser chain → fake CAPTCHA → victim pastes attacker device code into microsoft.com/devicelogin. MFA fires on real Microsoft endpoint; tokens issued to attacker. Microsoft Authentication Broker AppId 29d9ed98-a469-4536-ade2-f981bc1d605e. T1528 / T1550.001 / T1078.004. Hardening: CA block device-code flow; FIDO2 phishing-resistant MFA; CAE.
2026-05-18CTI Daily Brief — 2026-05-18
action_itemsAction: block OAuth Device Code flow tenant-wide in Entra Conditional Access where not operationally required.

Where this entity is cited

tldr1
deep_dive1
action_items1

Source distribution

attack.mitre.org4 (57%)
bleepingcomputer.com1 (14%)
blog.sekoia.io1 (14%)
esentire.com1 (14%)

All cited sources (7)

Items in briefs about Tycoon2FA PhaaS post-March-2026-takedown — OAuth Device Authorization Grant abuse on Microsoft 365

No parsed item heading or body matches this entity yet. Items match by exact CVE id (for CVE entities), by lead-segment substring of the title in the item heading or body, or by a distinctive anchor token from the title appearing in the item heading. Coverage that lives inside a broader section (no per-item heading) is captured by the Story timeline above.