The Tycoon2FA phishing-as-a-service toolkit has been updated to include a device-code authentication attack against Microsoft 365, enabling threat actors to hijack accounts and obtain persistent OAuth refresh tokens without ever requiring the victim’s password or multi-factor authentication code. The updated toolkit also routes phishing links through legitimate click-tracking services to obscure malicious destinations from email security filters.
How Tycoon2FA’s Device-Code Attack Delivers a Valid Microsoft 365 Session to the Attacker
The device-code phishing flow exploits a legitimate Microsoft authentication mechanism designed for devices without keyboards — smart televisions, IoT equipment, and similar hardware that cannot support traditional username and password entry. In that flow, a device generates a short code and asks the user to enter it at a Microsoft authentication URL on a separate device. Once entered, Microsoft issues a token to the originating device.
Tycoon2FA weaponizes this flow against Microsoft 365 users. The attacker initiates a device-code request on their own end, generating the code. The victim receives a phishing email routed through a legitimate click-tracking service — masking the destination URL from email filters — and is directed to a page prompting them to complete what appears to be a Microsoft 365 device-code authentication step. The victim enters the attacker’s device code into Microsoft’s legitimate authentication interface.
Why MFA Does Not Stop Device-Code Phishing: OAuth Tokens, Not Credentials
The critical distinction between device-code phishing and traditional credential harvesting is what the attacker receives at the end. Device-code authentication does not verify the user’s password or prompt for an MFA code; it verifies that someone authorized the request through Microsoft’s interface. When the victim completes the step, Microsoft issues a valid OAuth refresh token to the attacker’s waiting session.
The attacker gains persistent access to the Microsoft 365 account using that token — no password required, no MFA prompt triggered on future access. Standard MFA protections built around TOTP codes or authentication app approvals apply to password-based logins and do not protect against the token issuance that occurs through the device-code flow.
Click-Tracking Service Abuse: How Tycoon2FA Evades Email Security Filters
In addition to the new device-code attack, the updated Tycoon2FA toolkit abuses legitimate click-tracking services to mask phishing link destinations. Security products that scan email links for malicious domains see only the click-tracker’s domain — a legitimate, frequently allowlisted service — rather than the actual phishing page the link resolves to. The malicious destination is concealed until the victim’s browser follows the redirect.
The technique is not new to phishing broadly, but its integration into the Tycoon2FA toolkit brings it to the subscriber base of a criminal platform with an established distribution network.
Tycoon2FA’s Subscription Model Scales Device-Code Attacks Across Enterprise Targets
Tycoon2FA is sold on a subscription basis on cybercrime forums, allowing threat actors to conduct account takeover campaigns without developing the underlying tooling themselves. The low technical barrier created by phishing-as-a-service platforms means device-code phishing — historically a technique associated with sophisticated nation-state actors — is now accessible to a much broader population of criminal operators.
Device-code attacks are particularly effective against organizations where token-based authentication flows receive less monitoring attention than password-based logins. Once an attacker holds a valid OAuth refresh token, standard MFA controls built around TOTP codes or push approvals offer no further protection for subsequent sessions.
