Threat actors linked to Tycoon 2FA are using OAuth device-code phishing to bypass multi-factor authentication, signalling a rapid shift in tactics after a coordinated international operation disrupted the phishing-as-a-service platform’s infrastructure in March 2026.Security researchers identified the campaign in late April, finding that operators associated with the Tycoon 2FA ecosystem had adapted their phishing kit to exploit a legitimate Microsoft authentication flow rather than relying solely on traditional adversary-in-the-middle login pages. The technique enables attackers to trick users into authorising access on genuine Microsoft sign-in screens, allowing stolen access tokens to be used without the victim handing over a password on a fake website.
Tycoon 2FA had already become one of the most active phishing-as-a-service platforms targeting Microsoft 365 and other cloud accounts. Its earlier model used polished login replicas and proxy-based interception to capture session cookies after users completed multi-factor authentication. That made it attractive to lower-skilled cybercriminals seeking access to corporate email accounts, financial systems and cloud services used for business email compromise, invoice fraud and data theft.
A multinational operation announced on March 4 targeted the platform’s core infrastructure, including hundreds of domains used for phishing portals, dashboards and backend systems. Authorities and private-sector partners said the platform had affected tens of thousands of victims and had been used against organisations across education, health care, public administration and business services. The disruption weakened Tycoon 2FA’s branded operation, but it did not erase the underlying demand for tools that can defeat account protections.
The late-April campaign shows how quickly phishing operators can rebuild around surviving code, affiliate networks and new delivery methods. Technical analysis linked the activity to Tycoon 2FA through shared fingerprints in the kit’s architecture, encryption layer, anti-debugging features and HTML obfuscation patterns. The shift did not appear to be a completely new platform; rather, it represented a reuse of established Tycoon 2FA tooling with a different lure and authentication abuse method.
OAuth device-code phishing exploits a feature designed for devices that lack full browser or keyboard input, such as smart televisions, printers or command-line tools. A legitimate service generates a code, and the user is asked to enter it on an official login page. Once the user authenticates and approves the request, the device receives access. Attackers abuse this flow by generating the code themselves and persuading victims to enter it, often through emails or messages that appear to relate to document sharing, meetings, security checks or workplace collaboration.
The danger lies in the trust created by the genuine login page. Users may see a familiar Microsoft domain, complete multi-factor authentication and assume the process is safe. But the approval grants access to the attacker-controlled session or application context, giving criminals tokens that can be used to reach email, files and other cloud resources depending on permissions and policy controls.
This approach also complicates traditional anti-phishing defences. Domain-blocking and lookalike-site detection are less effective when the victim is redirected to a legitimate authentication portal. The attacker’s success depends more on social engineering, real-time automation and weaknesses in conditional access rules than on a fake website alone.
Microsoft 365 environments remain a prime target because compromised accounts can unlock email archives, internal documents, contact lists and financial correspondence. Once inside, attackers can search for payment threads, create inbox rules to hide replies, impersonate executives or suppliers, and use trusted accounts to launch further attacks. For organisations with weak monitoring, token-based compromise may persist even after a password reset unless sessions and refresh tokens are revoked.
The timing also reflects a broader trend across the phishing economy. Law-enforcement takedowns can remove infrastructure and raise costs for operators, but criminal markets often fragment rather than disappear. Affiliates migrate to rival kits, developers rebrand components, and successful tactics are copied across platforms. Tycoon 2FA’s post-disruption activity fits that pattern, with parts of the ecosystem continuing through dispersed hosting, new domains and altered delivery techniques.
Topics
Technology