Skip to content
Threat Feed

Product

Exchange Online

4 briefs RSS
high advisory

Microsoft 365 OAuth Device Code Phishing Exploits Non-Compliant Devices

Attackers are actively exploiting the OAuth device code flow in Microsoft 365 to bypass multi-factor authentication (MFA) and gain initial access, leveraging phishing kits like Kali365 and tradecraft similar to Storm-2372 to harvest MFA-satisfied tokens from non-compliant or attacker-controlled devices, and subsequently establishing persistence through device registration.

Microsoft 365 +4 cloud saas identity microsoft-365 initial-access phishing persistence
2r 3t
high threat

Entra ID OAuth Device Code Phishing via AiTM

Detects successful Microsoft Entra ID sign-ins using the OAuth device code authentication protocol with the Microsoft Authentication Broker client requesting first-party Office API resources, indicative of adversary-in-the-middle (AiTM) phishing attacks such as Tycoon 2FA.

Entra ID +3 Tycoon2FA cloud identity azure entra_id phishing
2r 3t
high advisory

Microsoft 365 AiTM UserLoggedIn via Office App (Tycoon2FA)

This rule detects Microsoft 365 audit events indicative of Tycoon 2FA phishing-as-a-service (PhaaS) adversary-in-the-middle (AiTM) activity, identifying UserLoggedIn events where the Microsoft Authentication Broker requests access to Microsoft Graph or Exchange Online, or the Office web client application authenticates to itself, combined with Node.js-style user agents, bypassing MFA by relaying authentication and capturing session material.

Microsoft 365 +2 cloud identity saas microsoft365 aitm tycoon2fa phishing
2r 2t
medium advisory

Tycoon2FA AiTM Phishing via Microsoft Entra ID Sign-Ins

Detects Microsoft Entra ID sign-ins consistent with Tycoon2FA phishing-as-a-service (PhaaS) adversary-in-the-middle (AiTM) activity targeting Microsoft 365 and Gmail, where the Microsoft Authentication Broker requests tokens for Microsoft Graph or Exchange Online, or the Office web client application authenticates to itself, combined with Node.js-style user agents (node, axios, undici).

Microsoft Entra ID +3 tycoon2fa aitm entra_id phishing credential_access
2r 2t