Product

Exchange Online

3 briefs RSS

Entra ID OAuth Device Code Phishing via AiTM

Detects successful Microsoft Entra ID sign-ins using the OAuth device code authentication protocol with the Microsoft Authentication Broker client requesting first-party Office API resources, indicative of adversary-in-the-middle (AiTM) phishing attacks such as Tycoon 2FA.

Entra ID +3 Tycoon2FA cloud identity azure entra_id phishing

2r 3t 2d ago

high advisory

Microsoft 365 AiTM UserLoggedIn via Office App (Tycoon2FA)

2 rules 2 TTPs

This rule detects Microsoft 365 audit events indicative of Tycoon 2FA phishing-as-a-service (PhaaS) adversary-in-the-middle (AiTM) activity, identifying UserLoggedIn events where the Microsoft Authentication Broker requests access to Microsoft Graph or Exchange Online, or the Office web client application authenticates to itself, combined with Node.js-style user agents, bypassing MFA by relaying authentication and capturing session material.

Microsoft 365 +2 cloud identity saas microsoft365 aitm tycoon2fa phishing

2r 2t 2d ago

medium advisory

Tycoon2FA AiTM Phishing via Microsoft Entra ID Sign-Ins

2 rules 2 TTPs

Detects Microsoft Entra ID sign-ins consistent with Tycoon2FA phishing-as-a-service (PhaaS) adversary-in-the-middle (AiTM) activity targeting Microsoft 365 and Gmail, where the Microsoft Authentication Broker requests tokens for Microsoft Graph or Exchange Online, or the Office web client application authenticates to itself, combined with Node.js-style user agents (node, axios, undici).

Microsoft Entra ID +3 tycoon2fa aitm entra_id phishing credential_access

2r 2t 2d ago