Tycoon2FA has expanded to support device-code phishing, using Trustifi click-tracking URLs and a multi-layered redirect chain to hijack Microsoft 365 accounts. After a law enforcement disruption in March, the kit returned on new infrastructure with stronger obfuscation and anti-analysis protections. #Tycoon2FA #Trustifi #Microsoft365 #Entra
Keypoints
- Tycoon2FA has added device-code phishing to its attack toolkit.
- Attackers use Trustifi click-tracking URLs in invoice-themed lure emails.
- The attack chain redirects victims through Cloudflare Workers and fake Microsoft pages.
- Victims unknowingly grant OAuth tokens to attacker-controlled devices through Microsoftβs login flow.
- Tycoon2FA includes strong anti-analysis defenses and updated blocklists of vendor names.