New Phishing Campaign Emerges: Tycoon 2FA Threat Actors Evolve Tactics
In late April 2026, cybersecurity experts revealed the discovery of a new phishing campaign that highlights the evolving strategies employed by the threat actors associated with the Tycoon 2FA Phishing-as-a-Service (PhaaS) kit. This alarming development comes on the heels of a large-scale takedown operation orchestrated by Microsoft and Europol, which was aimed at dismantling the infrastructure supporting Tycoon 2FA. Yet, despite these efforts, the actors behind this sophisticated operation demonstrated an impressive ability to adapt quickly, reusing their established toolkit while simultaneously pivoting to more advanced and stealthy attack methods.
The phishing assault begins with the target receiving an email that appears to be a routine vendor invoice reminder. This initial contact is crafted to lure unsuspecting victims into clicking a Trustifi click-tracking link. Once clicked, victims are redirected through a Cloudflare Workers domain, which ultimately delivers a malicious payload designed to facilitate unauthorized access to sensitive information.
What sets this campaign apart from traditional phishing attempts is its method of exploitation. Instead of simply presenting a counterfeit login page, this sophisticated scheme cleverly leverages Microsoft’s legitimate device login process available at microsoft.com/devicelogin. According to eSentire’s Threat Response Unit (TRU), attackers are now capitalizing on Microsoft’s OAuth Device Authorization Grant flow, enabling them to access Microsoft 365 accounts without ever collecting actual usernames or passwords. This shift marks a notable evolution in phishing techniques, as it presents a formidable challenge to conventional security measures.
In this deceptive process, victims are instructed to input a brief "user code" displayed on a phishing page. Once the user enters the code, authentication is conducted through Microsoft, which includes Multi-Factor Authentication (MFA) protocols. However, the critical flaw lies in that, by completing this seemingly innocuous step, the victim inadvertently grants access to an attacker-controlled device. Consequently, OAuth access and refresh tokens are generated and issued directly to the malicious actor, granting them unauthorized entry into the victim’s account. In essence, the victim believes they are merely authenticating themselves, when they are, in fact, bestowing access to an attacker.
TRU’s investigation uncovered a complex four-layer delivery chain that mirrors previous Tycoon 2FA campaigns, revealing how intricate these attacks have become. The first layer involves decrypting a hidden payload within the browser, using methods such as AES-GCM encryption and obfuscated JavaScript. The second layer executes a series of anti-analysis checks, including sandbox detection and ASN-based filtering against an extensive list of over 230 vendors. Following this, the third layer features a bogus Microsoft CAPTCHA, dubbed “HumanCheck,” followed by a query to ascertain whether to display the phishing lure or redirect to a benign decoy site. Finally, the fourth layer presents the OAuth device-code phishing page, meticulously guiding the user through the login.
Amid these developments, it is noteworthy that the kit retains critical elements from earlier iterations, such as the use of CryptoJS AES-CBC encryption with a hardcoded key and a consistent anti-debugging logic. Attackers cleverly mimic the Microsoft Authentication Broker, a legitimate first-party application, making the consent prompt appear authentic and circumventing standard OAuth security warnings that might typically alert users to suspicious activity.
Once consent is granted, the attackers gain unrestricted access to a plethora of Microsoft services, including Exchange Online, Microsoft Graph, and OneDrive. The implications of such access are profound, as a single approval can result in the compromise of an entire Microsoft 365 environment.
Telemetry analysis has indicated that the attacker infrastructure is hosted on Alibaba Cloud, showcasing a shift in operational methods, including the use of Node.js tools driven by specific user-agent strings. This change signifies a significant deviation from previous axios-based activities, underscoring the attackers’ adaptability.
It is critical to point out that while this attack does not bypass MFA in the traditional sense, it exploits the underlying mechanisms of OAuth device code flows. The authentication occurs on Microsoft’s legitimate platform, thereby satisfying MFA requirements, but for an unauthorized session, leading to serious security ramifications.
For instance, a victim may believe they are approving access to an innocuous service, such as listening to a voicemail message, when they are, in fact, granting persistent access to an attacker’s device. This subtle manipulation underlines the need for heightened awareness and vigilance among users and security teams alike.
To combat these advanced phishing techniques, security professionals are advised to be on alert for abnormal device-code authentication events and to monitor for suspicious user-agent strings appearing in Entra logs. The reuse of Tycoon 2FA infrastructure patterns, like Check Domain URLs and AES encryption routines, provides valuable detection opportunities, allowing organizations to enhance their defensive measures.
To mitigate these risks, organizations should consider implementing precautionary steps, including restricting or disabling OAuth device code flows for standard users, enforcing stringent application consent policies, enabling Continuous Access Evaluation (CAE) for swift token revocation, and monitoring for unusual OAuth activity.
This emerging campaign not only underscores a critical shift in phishing tactics but also reveals how even robust MFA frameworks can be circumvented if attackers manipulate legitimate authentication workflows. The evolving threat landscape necessitates deeper visibility and more proactive measures to safeguard against identity and token-based attacks.