Microsoft 365 Just Got Invited to the Worst Device Pairing Party Ever

Written By Daniel Zhang

The Funny Summary

Cybercriminals have discovered that if you can’t steal passwords the old-fashioned way, you simply trick people into handing over the Microsoft login tokens themselves. Tycoon2FA is now abusing Microsoft’s legitimate device login process; meaning victims basically MFA-approve their own compromise like they’re pairing a smart TV from JB Hi‑Fi.

The Top (5) Takeaways

  1. Tycoon2FA is back despite law enforcement disruption
    The phishing-as-a-service platform was previously disrupted but quickly rebuilt and resumed operations.

  2. Attackers are now using device-code phishing
    Instead of stealing passwords directly, attackers trick users into authorising rogue devices through Microsoft’s legitimate device login flow used for IoT devices.

  3. MFA alone may not stop this attack
    Victims complete MFA themselves during the fake process, which grants attackers OAuth access and refresh tokens.

  4. The campaign abuses legitimate services
    Researchers observed the attacks leveraging Trustifi click-tracking URLs, Cloudflare Workers, and heavily obfuscated JavaScript chains.

  5. Defenders should restrict OAuth and monitor Entra logs
    eSentire recommends disabling device code flows where possible, restricting OAuth consent, and monitoring Entra authentication logs for suspicious activity.

The Long-From Article

Reference:

https://www.bleepingcomputer.com/news/security/tycoon2fa-hijacks-microsoft-365-accounts-via-device-code-phishing/

Daniel Zhang
Previous

Inbox Zero, Bank Balance Zero: Why Your Email Is Basically the Keys to the Kingdom!
Next

AI Hack Attack Thwarted: Google Catches the Bot With Its Hand in the Zero-Day Jar