Home · Live brief · Daily brief 2026-05-18
Tycoon2FA after the March 2026 takedown — OAuth Device Authorization Grant abuse on Microsoft 365
Part of run 2026-05-18-2eabc1cf (intel · Claude Opus 4.7)
Background. Tycoon2FA is one of the established Microsoft 365 Phishing-as-a-Service (PhaaS) kits, previously documented as a classic adversary-in-the-middle (AiTM) credential-relay kit (Sekoia's reference analysis catalogued earlier versions of the kit). eSentire's Threat Response Unit documented a late-April 2026 campaign in which the kit's operators have moved away from credential-relay AiTM and are now abusing the legitimate OAuth 2.0 Device Authorization Grant flow as their post-MFA token-theft primitive (eSentire TRU, 2026-05-12; BleepingComputer, 2026-05-17). The substantive defender consequence is that the new chain runs against Microsoft's own authentication endpoints rather than against a credential-relay proxy the defender could block at the infrastructure layer; the abuse is structurally indistinguishable from a legitimate device-code sign-in until the resulting token is used.
Attack chain. A phishing email directs the victim through a four-layer browser chain documented by eSentire: a Trustifi click-tracking redirect (legitimate-email-marketing infrastructure, abused for reputation laundering) hands off to a Cloudflare Workers throwaway subdomain whose stage performs anti-analysis fingerprinting, AES-GCM-encrypted JavaScript decrypts the next stage only when the browser fingerprint clears, and finally the victim lands on a fake Microsoft CAPTCHA / "Check Domain" page that bridges into the OAuth device-code lure. eSentire records the underlying hosting ASN rotated to AS45102 (Alibaba Cloud) from 2026-04-10 onward, replacing previously documented ASNs. The terminal step is the technique pivot: instead of relaying credentials through an AiTM proxy, the phishing site displays a Microsoft-branded prompt instructing the victim to "complete sign-in by visiting microsoft.com/devicelogin and entering this code: AB12-CDEF". The code is a real device code that the attacker pre-generated by calling the OAuth Device Authorization Grant endpoint (/oauth2/v2.0/devicecode) on the victim's tenant, presenting itself as the Microsoft Authentication Broker client (AppId 29d9ed98-a469-4536-ade2-f981bc1d605e) — a first-party Microsoft client whose presence does not trip standard "unknown OAuth app" alerts in Entra ID. When the victim completes the device-code login in their browser they are authenticating to genuine Microsoft endpoints, MFA fires and succeeds against the victim's own MFA method (push, OTP, SMS) — and the resulting access and refresh tokens are issued to the attacker's polling device, not the victim. Entra ID sign-in logs record this as AuthenticationProtocol = deviceCode originating from an unfamiliar IP, but the actual authentication is logged as successful with valid MFA, masking the abuse.
ATT&CK mapping. T1566.002 Phishing: Spearphishing Link → T1528 Steal Application Access Token (the device-code flow itself) → T1550.001 Use Alternate Authentication Material: Application Access Token → T1078.004 Valid Accounts: Cloud Accounts (sustained post-MFA access using the issued tokens against Exchange Online, SharePoint, OneDrive, Teams, and Graph API). MFA bypass is structural here — Tycoon2FA does not break MFA; it sidesteps it by binding the MFA-validated session to an attacker-owned device through the legitimate OAuth flow. Every MFA method except FIDO2 / WebAuthn with phishing-resistant attestation is vulnerable to this attack class because the victim approves an MFA prompt on a flow the kit chose, not the flow the victim believes they are completing.
Hunt / detection concepts. Per eSentire's TRU analysis: query Entra ID sign-in logs for AuthenticationProtocol = "deviceCode" paired with ClientAppUsed = "Microsoft Authentication Broker" from IPs the user has never authenticated from previously; alert on any device-code authentication from foreign ASNs against high-privilege users (Global Admins, Privileged Role Admins, Compliance Admins) regardless of MFA outcome; correlate device-code sign-ins with Entra audit-log entries showing immediate token-refresh activity against Exchange Online or SharePoint endpoints (Add OAuth2PermissionGrant); on the email layer hunt for inbound mail containing the literal string microsoft.com/devicelogin paired with a device-code-shaped substring (eight alphanumerics with a hyphen at the midpoint) in the body — legitimate Microsoft messaging almost never instructs an end user to enter such a code in response to an email. Kit-fingerprint detection (useful when investigating a confirmed campaign): the Tycoon2FA browser stage retains the hardcoded CryptoJS AES-CBC key 1234567890123456 first documented in the kit's 2024 build, and the fake CAPTCHA layer still embeds the same Cloudflare-anti-bot bypass JavaScript across the rebuilt infrastructure.
Hardening. Entra Conditional Access policy to block OAuth Device Code flow as an authentication transport for users who do not need it — the policy is Conditional Access > New policy > Conditions > Authentication flows > Device code flow > Block; Microsoft recommends this as a tenant-wide default in modern deployments because the device-code flow is only legitimately needed for input-constrained devices (smart TVs, IoT, CLI tools) and almost never for desktop or browser users. Where a wholesale block is operationally infeasible, scope the block to all licensed user accounts and exempt only the named service principals that require it. Enable Continuous Access Evaluation (CAE) so that anomaly-driven sign-in revocation can cut an attacker's session within minutes rather than hours. Migrate high-privilege users to FIDO2 / WebAuthn with phishing-resistant attestation as their only permitted MFA method — the device-code flow can still be initiated, but the attacker cannot complete it because the FIDO2 origin-binding fails on a non-matching browser session. Awareness messaging should make explicit that Microsoft never sends device codes via email and that any incoming message asking the recipient to enter a code at microsoft.com/devicelogin is fraudulent regardless of the apparent sender.
“Doing so authorizes the attacker to register a rogue device with the victim's Microsoft 365 account, giving them unrestricted access to the victim's data and services, including email, calendar, and cloud file storage.” — BleepingComputer
“The user's MFA worked exactly as designed. There is no proxy, no credential capture, no fake Microsoft page.” — eSentire Threat Response Unit