Tycoon2FA expands device-code phishing capability, abusing legitimate email infrastructure to compromise Microsoft 365
The Tycoon2FA phishing kit has added device-code authentication flow attacks to its arsenal and now abuses Trustifi click-tracking URLs to mask malicious redirects, enabling credential theft against Microsoft 365 users at scale.
Affected
Tycoon2FA's incorporation of device-code phishing represents a meaningful tactical evolution in OAuth-based account compromise. Device-code flows, designed for headless and limited-input devices, are inherently harder to secure because they create a temporal separation between authentication initiation and completion. Attackers exploit this by sending victims to a phishing site that initiates a device-code flow on the backend, then prompts the victim to approve the code in their legitimate Microsoft 365 account. From the victim's perspective, they are interacting with Microsoft's interface, reducing friction and trust signals compared to traditional credential-stealing phishing.
The second sophistication layer involves the abuse of Trustifi's click-tracking infrastructure. Trustifi is a legitimate email security and tracking service used by many organisations. By wrapping malicious redirect chains through Trustifi URLs, attackers gain several advantages: the URLs appear legitimate and are less likely to be blocked by email gateways, URL reputation services may whitelist them, and security teams may deprioritise clicks on known enterprise tools. This is a supply-chain style attack vector that exploits the implicit trust placed in third-party email infrastructure.
Microsoft 365 environments remain the primary target because of their widespread adoption and the value of compromised tenant access. Device-code phishing is particularly effective against users with modern MFA enabled, since it operates within the legitimate authentication flow rather than attempting to steal or bypass MFA tokens directly. Once authenticated, attackers gain tenant-wide access including email, SharePoint, OneDrive, and Teams data.
Defenders should implement conditional access policies that restrict sign-in from unusual geographic locations or devices, monitor for device-code authentication attempts from unexpected applications, and educate users that device approval prompts should only appear during intentional login workflows. Email security teams should scrutinise Trustifi URLs and similar tracking services for abuse patterns and consider blocking or sandboxing them pending investigation. Organisations should also review OAuth application permissions within their tenant and disable legacy authentication protocols that remain vulnerable to credential-based attacks.
The broader implication is that attackers are now converging multiple layers of trust: OAuth legitimacy, third-party infrastructure whitelist status, and temporal separation in authentication flows. This reflects a shift away from crude phishing towards infrastructure-aware attacks that are harder to detect at both the email gateway and client levels.
Sources