Tycoon 2FA Hijacks Microsoft 365 via Device Code Phishing

Phishing kit Tycoon 2FA has a new variant that takes over Microsoft 365 accounts without ever showing the victim a fake login page. The whole attack runs through the real Microsoft login. eSentire's Threat Response Unit documented the variant in late April 2026. The lure email looks like a forwarded vendor invoice with a link from Trustifi, a legitimate email security vendor whose click tracker is being abused for its clean reputation (eSentire found no vulnerability in Trustifi itself). The link redirects through Cloudflare Workers to a fake Microsoft 365 voicemail page that hands the victim a code and tells them to enter it at microsoft.com/devicelogin to listen. That URL is real Microsoft. The victim enters their real credentials, completes their real MFA, and Microsoft issues OAuth access tokens to the attacker's device. Tycoon 2FA has been operating since 2023. Microsoft, Europol, eSentire, and other partners coordinated a takedown in March 2026; operators were back within weeks on fresh infrastructure. As eSentire put it: the phish does not bypass MFA, it changes what MFA is being used to authorize. They recommend blocking OAuth device code flows via Conditional Access for users who don't need them. Sources: - eSentire: https://www.esentire.com/blog/tycoon-2fa-operators-adopt-oauth-device-code-phishing - Bleeping Computer: https://www.bleepingcomputer.com/news/security/tycoon2fa-hijacks-microsoft-365-accounts-via-device-code-phishing/ - Microsoft (March 2026): https://www.microsoft.com/en-us/security/blog/2026/03/04/inside-tycoon2fa-how-a-leading-aitm-phishing-kit-operated-at-scale/ More on cybersecurity, privacy, scams, and homelab on Hake Hardware. New shorts every weekday. #cybersecurity #phishing #microsoft365