Tycoon2FA — CraftedSignal Threat Feedhttps://feed.craftedsignal.io/actors/tycoon2fa/Trending threats, MITRE ATT&CK coverage, and detection metadata. Fed continuously.Hugoenhello@craftedsignal.iohello@craftedsignal.ioMon, 18 May 2026 10:04:48 +0000Entra ID OAuth Device Code Phishing via AiTMhttps://feed.craftedsignal.io/briefs/2026-05-entra-device-code-phishing/Mon, 18 May 2026 10:04:48 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-05-entra-device-code-phishing/Detects successful Microsoft Entra ID sign-ins using the OAuth device code authentication protocol with the Microsoft Authentication Broker client requesting first-party Office API resources, indicative of adversary-in-the-middle (AiTM) phishing attacks such as Tycoon 2FA.This detection identifies a specific pattern associated with adversary-in-the-middle (AiTM) phishing campaigns targeting Microsoft Entra ID. It focuses on successful sign-ins utilizing the OAuth device code authentication protocol in conjunction with the Microsoft Authentication Broker client. A key characteristic is the request for first-party Office API resources, specifically Exchange Online, Microsoft Graph, or SharePoint. The activity is flagged as interactive. This tactic is linked to AiTM phishing kits like Tycoon 2FA, where unsuspecting victims are tricked into completing device code flows, ultimately granting attackers access tokens for mail and collaboration APIs. This allows unauthorized access to sensitive data and resources within the organization’s cloud environment. The blog post from Microsoft on February 13, 2025, highlights the Storm-2372 campaign which utilizes this technique.

Attack Chain

  1. The attacker sends a phishing email or message to the victim containing a link or QR code.
  2. The victim clicks on the link or scans the QR code, which redirects them to a fake Microsoft login page controlled by the attacker.
  3. The fake login page prompts the victim to enter a device code.
  4. The attacker initiates a legitimate OAuth device code flow using the Microsoft Authentication Broker client.
  5. The victim enters the device code on the attacker-controlled page, unknowingly authorizing the attacker’s application.
  6. The attacker’s application requests access to first-party Office API resources, such as Exchange Online (resource ID 00000002-0000-0ff1-ce00-000000000000), Microsoft Graph (00000003-0000-0ff1-ce00-000000000000), or SharePoint (00000005-0000-0ff1-ce00-000000000000).
  7. The Microsoft Authentication Broker authenticates the request as interactive.
  8. The attacker gains access to the victim’s mail and collaboration APIs via the obtained access tokens, enabling data exfiltration and other malicious activities.

Impact

Successful exploitation leads to unauthorized access to the victim’s Microsoft Entra ID account and associated resources, including email, files, and other sensitive data. This can result in data theft, financial loss, and reputational damage to the organization. The Tycoon 2FA kit, as referenced, facilitates this type of attack, bypassing traditional multi-factor authentication methods. The scale of impact depends on the scope of access granted to the compromised account.

Recommendation

  • Deploy the Sigma rule “Entra ID OAuth Device Code Phishing via AiTM” to your SIEM to detect suspicious device code authentication flows.
  • Investigate any alerts triggered by the Sigma rule, focusing on azure.signinlogs.properties.user_principal_name, azure.signinlogs.properties.session_id, source.ip, and azure.signinlogs.properties.resource_display_name.
  • Implement conditional access policies to restrict device code flows to trusted networks and devices, mitigating the risk of AiTM attacks (reference: Microsoft documentation on conditional access).
  • Revoke refresh tokens for any compromised users and reset their credentials per policy, as mentioned in the investigation steps.
]]>highthreatcloudidentityazureentra_idphishing