Tech Tycoon’s Sneaky Scheme: How Tycoon2FA Exploits Microsoft 365 Accounts with Device-Code Phishing

The Rise of Tycoon2FA Phishing Kit in Targeting Microsoft 365 Accounts

In the realm of cyber threats, the Tycoon2FA phishing kit has emerged as a formidable adversary, now equipped to launch device-code phishing attacks and exploit Trustifi click-tracking URLs to compromise Microsoft 365 accounts.

Following a law enforcement crackdown in March that disrupted the Tycoon2FA phishing platform, the malicious operation swiftly regrouped on new infrastructure and resumed its malevolent activities at full throttle.

Recent reports from Abnormal Security have confirmed that Tycoon2FA has not only resumed normal operations but has also bolstered its defenses with new obfuscation layers to thwart disruption attempts.

One of the latest tactics observed involved leveraging OAuth 2.0 device authorization grant flows to compromise Microsoft 365 accounts, indicating the continuous evolution of the phishing kit.

Device code phishing, a deceptive technique where threat actors manipulate victims into authorizing a rogue device on their Microsoft 365 account, has been on the rise. This attack vector grants attackers unrestricted access to sensitive data and services like email, calendar, and cloud storage.

Push Security has reported a 37x surge in device code phishing attacks this year, facilitated by numerous phishing-as-a-service (PhaaS) platforms and private kits. Proofpoint’s findings further validate the increasing prevalence of this insidious tactic.

Tycoon2FA Embraces Device-Code Phishing

According to eSentire’s latest research, Tycoon2FA has embraced device code phishing, a technique gaining popularity among cybercriminals.

The attack begins innocuously with a victim clicking on a Trustifi click-tracking URL in a lure email and culminates in unwittingly granting OAuth tokens to an attacker-controlled device via Microsoft’s legitimate device-login flow at microsoft.com/devicelogin.

The attack chain involves a sophisticated four-layer in-browser delivery mechanism, showcasing Tycoon2FA’s unaltered tradecraft, as documented in previous variants.

While Trustifi is a legitimate email security platform integrated with major email services, the researchers are puzzled by its exploitation by attackers.

The phishing campaign typically masquerades as an invoice-themed email, leading victims through Trustifi, Cloudflare Workers, and obfuscated JavaScript layers to a counterfeit Microsoft CAPTCHA page.

Upon instructing victims to paste a Microsoft OAuth device code on ‘microsoft.com/devicelogin,’ the attackers trick them into completing multi-factor authentication (MFA), enabling access to the victim’s account.

The Tycoon2FA phishing kit boasts robust defenses against detection, utilizing various techniques to evade automated scanning and hinder analysis efforts.

eSentire recommends proactive measures such as disabling the OAuth device code flow when unnecessary, limiting OAuth consent permissions, enforcing strict third-party app approval processes, and implementing Continuous Access Evaluation (CAE) and compliant device access policies.

Monitoring Entra logs for deviceCode authentication, Microsoft Authentication Broker usage, and Node.js user agents is crucial to detecting and thwarting such attacks.

To aid defenders in safeguarding their environments, eSentire has released indicators of compromise (IoCs) related to the latest Tycoon2FA attacks.

Automated pentesting tools play a vital role in assessing network security, but they may not cover all aspects of threat prevention. Learn about the key areas you should focus on to enhance your security posture.

Download Now