{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/actors/tycoon2fa/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":["Tycoon2FA"],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Entra ID","Exchange Online","Microsoft Graph","SharePoint"],"_cs_severities":["high"],"_cs_tags":["cloud","identity","azure","entra_id","phishing"],"_cs_type":"threat","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThis detection identifies a specific pattern associated with adversary-in-the-middle (AiTM) phishing campaigns targeting Microsoft Entra ID. It focuses on successful sign-ins utilizing the OAuth device code authentication protocol in conjunction with the Microsoft Authentication Broker client. A key characteristic is the request for first-party Office API resources, specifically Exchange Online, Microsoft Graph, or SharePoint. The activity is flagged as interactive. This tactic is linked to AiTM phishing kits like Tycoon 2FA, where unsuspecting victims are tricked into completing device code flows, ultimately granting attackers access tokens for mail and collaboration APIs. This allows unauthorized access to sensitive data and resources within the organization\u0026rsquo;s cloud environment. The blog post from Microsoft on February 13, 2025, highlights the Storm-2372 campaign which utilizes this technique.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker sends a phishing email or message to the victim containing a link or QR code.\u003c/li\u003e\n\u003cli\u003eThe victim clicks on the link or scans the QR code, which redirects them to a fake Microsoft login page controlled by the attacker.\u003c/li\u003e\n\u003cli\u003eThe fake login page prompts the victim to enter a device code.\u003c/li\u003e\n\u003cli\u003eThe attacker initiates a legitimate OAuth device code flow using the Microsoft Authentication Broker client.\u003c/li\u003e\n\u003cli\u003eThe victim enters the device code on the attacker-controlled page, unknowingly authorizing the attacker\u0026rsquo;s application.\u003c/li\u003e\n\u003cli\u003eThe attacker\u0026rsquo;s application requests access to first-party Office API resources, such as Exchange Online (resource ID 00000002-0000-0ff1-ce00-000000000000), Microsoft Graph (00000003-0000-0ff1-ce00-000000000000), or SharePoint (00000005-0000-0ff1-ce00-000000000000).\u003c/li\u003e\n\u003cli\u003eThe Microsoft Authentication Broker authenticates the request as interactive.\u003c/li\u003e\n\u003cli\u003eThe attacker gains access to the victim\u0026rsquo;s mail and collaboration APIs via the obtained access tokens, enabling data exfiltration and other malicious activities.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation leads to unauthorized access to the victim\u0026rsquo;s Microsoft Entra ID account and associated resources, including email, files, and other sensitive data. This can result in data theft, financial loss, and reputational damage to the organization. The Tycoon 2FA kit, as referenced, facilitates this type of attack, bypassing traditional multi-factor authentication methods. The scale of impact depends on the scope of access granted to the compromised account.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Entra ID OAuth Device Code Phishing via AiTM\u0026rdquo; to your SIEM to detect suspicious device code authentication flows.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts triggered by the Sigma rule, focusing on \u003ccode\u003eazure.signinlogs.properties.user_principal_name\u003c/code\u003e, \u003ccode\u003eazure.signinlogs.properties.session_id\u003c/code\u003e, \u003ccode\u003esource.ip\u003c/code\u003e, and \u003ccode\u003eazure.signinlogs.properties.resource_display_name\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eImplement conditional access policies to restrict device code flows to trusted networks and devices, mitigating the risk of AiTM attacks (reference: Microsoft documentation on conditional access).\u003c/li\u003e\n\u003cli\u003eRevoke refresh tokens for any compromised users and reset their credentials per policy, as mentioned in the investigation steps.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-18T10:04:48Z","date_published":"2026-05-18T10:04:48Z","id":"https://feed.craftedsignal.io/briefs/2026-05-entra-device-code-phishing/","summary":"Detects successful Microsoft Entra ID sign-ins using the OAuth device code authentication protocol with the Microsoft Authentication Broker client requesting first-party Office API resources, indicative of adversary-in-the-middle (AiTM) phishing attacks such as Tycoon 2FA.","title":"Entra ID OAuth Device Code Phishing via AiTM","url":"https://feed.craftedsignal.io/briefs/2026-05-entra-device-code-phishing/"}],"language":"en","title":"CraftedSignal Threat Feed — Tycoon2FA","version":"https://jsonfeed.org/version/1.1"}