{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/trustifi/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Microsoft 365","Trustifi","Cloudflare Workers"],"_cs_severities":["high"],"_cs_tags":["phishing","device-code phishing","microsoft 365","oauth","tycoon2fa"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Trustifi","Cloudflare"],"content_html":"\u003cp\u003eThe Tycoon2FA phishing kit has been updated to include device-code phishing capabilities, allowing attackers to compromise Microsoft 365 accounts. Despite a law enforcement disruption in March 2026, the Tycoon2FA platform has been rebuilt and is back to normal activity levels. Observed in a campaign in late April 2026, the kit now leverages OAuth 2.0 device authorization grant flows. This new technique involves tricking users into entering a code on a legitimate Microsoft login page, which in turn authorizes a rogue device controlled by the attacker. The kit also includes extensive anti-analysis measures to evade detection, blocking security vendors, VPNs, sandboxes, and AI crawlers, with its blocklist containing 230 vendor names and constantly being updated.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe victim receives a phishing email containing a Trustifi click-tracking URL, often themed as an invoice.\u003c/li\u003e\n\u003cli\u003eThe victim clicks the Trustifi URL, which redirects through Trustifi\u0026rsquo;s infrastructure.\u003c/li\u003e\n\u003cli\u003eThe traffic is further redirected through Cloudflare Workers.\u003c/li\u003e\n\u003cli\u003eMultiple layers of obfuscated JavaScript are executed in the victim\u0026rsquo;s browser.\u003c/li\u003e\n\u003cli\u003eThe victim is presented with a fake Microsoft CAPTCHA page.\u003c/li\u003e\n\u003cli\u003eThe phishing page retrieves a Microsoft OAuth device code from the attacker\u0026rsquo;s backend.\u003c/li\u003e\n\u003cli\u003eThe victim is instructed to copy and paste the device code to \u003ccode\u003emicrosoft.com/devicelogin\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe victim completes multi-factor authentication (MFA) on their end.\u003c/li\u003e\n\u003cli\u003eMicrosoft issues OAuth access and refresh tokens to the attacker-controlled device, granting unauthorized access to the victim\u0026rsquo;s Microsoft 365 account.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful device-code phishing attacks using the Tycoon2FA kit allow attackers to gain unrestricted access to the victim\u0026rsquo;s Microsoft 365 data and services, including email, calendar, and cloud file storage. Push Security reported a 37x increase in device code phishing attacks this year, highlighting the growing threat. The compromised accounts can be used for data exfiltration, business email compromise (BEC), or further lateral movement within the organization.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDisable the OAuth device code flow when not needed, as recommended by eSentire, to prevent this attack vector.\u003c/li\u003e\n\u003cli\u003eRestrict OAuth consent permissions and require admin approval for third-party apps, as recommended by eSentire, to limit the impact of compromised accounts.\u003c/li\u003e\n\u003cli\u003eEnable Continuous Access Evaluation (CAE) and enforce compliant device access policies, as recommended by eSentire, to detect and mitigate unauthorized access.\u003c/li\u003e\n\u003cli\u003eMonitor Entra logs for deviceCode authentication, Microsoft Authentication Broker usage, and Node.js user agents, as recommended by eSentire, to identify potential device-code phishing attacks.\u003c/li\u003e\n\u003cli\u003eBlock access to \u003ccode\u003emicrosoft.com/devicelogin\u003c/code\u003e from untrusted networks or devices, as referenced in the Attack Chain, to prevent users from entering device codes on potentially malicious sites.\u003c/li\u003e\n\u003cli\u003eImplement detections for redirections originating from Trustifi click-tracking URLs to suspicious Microsoft login pages.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-17T14:44:12Z","date_published":"2026-05-17T14:44:12Z","id":"https://feed.craftedsignal.io/briefs/2026-05-tycoon2fa-device-code-phishing/","summary":"The Tycoon2FA phishing kit now supports device-code phishing attacks targeting Microsoft 365 accounts, abusing Trustifi click-tracking URLs, redirecting victims through Cloudflare Workers to a fake Microsoft CAPTCHA page, tricking them into entering a device code, and granting attackers OAuth tokens and access to their Microsoft 365 accounts.","title":"Tycoon2FA Phishing Kit Targets Microsoft 365 Accounts with Device-Code Phishing","url":"https://feed.craftedsignal.io/briefs/2026-05-tycoon2fa-device-code-phishing/"}],"language":"en","title":"CraftedSignal Threat Feed — Trustifi","version":"https://jsonfeed.org/version/1.1"}