Tycoon2FA Rebounds: Device-Code Phishing Bypasses MFA to Hijack Microsoft 365 Accounts

Europol and Microsoft dismantled the Tycoon2FA phishing infrastructure in March 2026. Barely six weeks later, the operators are back — same encryption keys, same backend routes, same evasion tricks — with a devastating new capability: OAuth device-code phishing that renders multi-factor authentication meaningless. eSentire's Threat Response Unit confirmed the resurgence on May 16, and telemetry already shows active campaigns targeting financial-sector tenants across the Gulf region.

What Is Tycoon2FA and Why It Matters Now

Tycoon2FA is a phishing-as-a-service (PhaaS) platform that sells turnkey credential-theft kits to threat actors with minimal technical skill. Since its emergence in late 2023, the kit has steadily climbed the ranks to become one of the most prolific adversary-in-the-middle (AiTM) platforms in circulation. At least ten separate PhaaS operations and private toolkits have been observed integrating Tycoon2FA's techniques, and campaign volumes have surged roughly 37-fold over the past twelve months according to Abnormal AI telemetry.

What makes the May 2026 variant uniquely dangerous is its pivot from traditional reverse-proxy session hijacking to OAuth 2.0 Device Authorization Grant abuse. Instead of proxying the victim's session in real time, the attacker tricks the victim into authorizing a rogue device on Microsoft's own legitimate login page — microsoft.com/devicelogin — which issues OAuth access and refresh tokens directly to attacker-controlled infrastructure.

The Four-Layer Kill Chain: From Email to Token Theft

The attack begins with a lure email containing a Trustifi click-tracking URL, chosen specifically because Trustifi domains carry high sender reputation scores and often pass email gateway filters. Once clicked, the victim is funneled through a four-layer delivery chain designed to evade security tooling at every stage.

Layer 1 — Payload Decryption: The landing page decrypts a hidden payload in the victim's browser using AES-GCM with an obfuscated JavaScript loader. The same AES key observed in pre-takedown Tycoon2FA campaigns is still in use, confirming the operators simply restored from backup.

Layer 2 — Anti-Analysis Gate: The kit performs sandbox detection, debugger timing traps, and ASN-based filtering against more than 230 security vendors. If the visitor's IP resolves to a known security lab, they see a harmless decoy page and the attack aborts silently.

Layer 3 — Fake CAPTCHA ("HumanCheck"): Victims who pass the filter encounter a convincing Microsoft-branded CAPTCHA. Behind the scenes, the kit queries a "Check Domain" endpoint to decide whether the target organization is worth phishing or should be redirected to a benign site.

Layer 4 — Device-Code Phishing: This is where the real damage occurs. The victim is guided through a flow that presents a short alphanumeric code and instructs them to enter it at Microsoft's legitimate device-login page. By completing this step, the victim unknowingly authorizes an attacker-controlled device running on Alibaba Cloud infrastructure (AS45102), granting it OAuth access and refresh tokens for their entire Microsoft 365 tenant.

Why MFA Cannot Stop This Attack

The critical distinction between Tycoon2FA's device-code approach and traditional credential phishing is that MFA still fires — the victim sees their authenticator prompt, approves it, and believes they are logging in normally. The problem is that MFA is authorizing the attacker's device, not the victim's. Once the OAuth consent is granted, the attacker holds refresh tokens that persist for days or weeks, providing continuous access to Exchange Online, Microsoft Graph, OneDrive, and SharePoint without triggering further MFA challenges.

The kit impersonates Microsoft Authentication Broker (AppId: 29d9ed98-a469-4536-ade2-f981bc1d605e), a first-party trusted application. Because this app is pre-trusted in every Azure AD tenant, the consent prompt appears entirely legitimate and does not trigger the conditional access policies that would normally flag third-party OAuth grants.

Impact on Saudi Financial Institutions

Saudi banks, insurance companies, and fintech firms operating under SAMA supervision have aggressively adopted Microsoft 365 over the past three years. The SAMA Cyber Security Common Controls (CSCC) framework mandates strong authentication under Control 3-2-2 and privileged access management under Control 3-3-1, but neither control explicitly addresses OAuth device authorization grant abuse — a gap that Tycoon2FA exploits directly.

The NCA Essential Cybersecurity Controls (ECC) framework's email security controls (ECC 2-6-3) require organizations to implement anti-phishing technologies, but device-code phishing emails carry no malicious attachments and link to legitimate Microsoft domains, making them extremely difficult for Secure Email Gateways (SEGs) to detect. Furthermore, because the tokens grant access to Exchange Online, a successful compromise can enable data exfiltration that violates the Personal Data Protection Law (PDPL) — exposing the institution to regulatory penalties on multiple fronts.

Critically, attackers who obtain refresh tokens can silently configure mail forwarding rules, exfiltrate sensitive financial communications, and establish persistence that survives password resets. For institutions subject to PCI-DSS requirements, token theft from a Microsoft 365 environment connected to payment processing workflows creates a direct path to cardholder data exposure.

Defensive Recommendations for CISOs

1. Block device-code authentication flows: In Azure AD Conditional Access, create a policy that blocks the Device Code Flow grant type for all users except a tightly scoped exclusion group for legitimate IoT or kiosk devices. Microsoft documents this under "Authentication flows — Device code flow" in the Conditional Access policy builder.
2. Restrict OAuth consent to admin-approved apps: Configure the "User consent settings" in Azure AD to require admin approval for all OAuth app registrations. This prevents the Microsoft Authentication Broker impersonation from silently gaining consent.
3. Deploy token protection (token binding): Enable Azure AD token protection in Conditional Access to bind tokens to the specific device that requested them. Stolen tokens become unusable on attacker infrastructure.
4. Implement phishing-resistant MFA: Migrate from push-based MFA (which approves whatever device initiated the flow) to FIDO2 security keys or certificate-based authentication. SAMA CSCC Control 3-2-2 alignment is significantly stronger with hardware-bound credentials.
5. Monitor for anomalous OAuth grants: Configure Microsoft Defender for Cloud Apps or your SIEM to alert on new OAuth application consents, especially those involving first-party Microsoft AppIds from unexpected IP ranges or ASNs (particularly AS45102 — Alibaba Cloud).
6. Hunt for Trustifi redirect chains: Query your email gateway and proxy logs for Trustifi click-tracking domains followed by rapid redirects to microsoft.com/devicelogin. This pattern is a strong indicator of Tycoon2FA activity.
7. Conduct targeted awareness training: Brief finance, treasury, and compliance teams specifically on device-code phishing scenarios. Traditional phishing awareness that focuses on "check the URL" is ineffective when the final login page is genuinely microsoft.com.

Conclusion

Tycoon2FA's rapid resurgence after a coordinated international takedown demonstrates that phishing-as-a-service operators have matured their disaster-recovery capabilities to enterprise-grade levels. The shift to OAuth device-code abuse represents a fundamental escalation — attackers are no longer stealing passwords; they are stealing authorization grants that persist beyond password changes and bypass MFA entirely. Saudi financial institutions must move beyond checkbox compliance and proactively close the OAuth authorization gap in their Microsoft 365 environments before this technique becomes the default playbook for every financially motivated threat actor in the region.

Is your organization prepared? Contact Fyntralink for a complimentary SAMA Cyber Maturity Assessment that includes OAuth and identity-layer threat evaluation for your Microsoft 365 environment.