Back to Intelligence

Tycoon2FA: Microsoft 365 Device Code Phishing and Trustifi Abuse — Detection and Hardening

SA
Security Arsenal Team
May 17, 2026
6 min read

The Phishing-as-a-Service (PhaaS) ecosystem has evolved again with the Tycoon2FA kit, which now integrates device-code social engineering attacks to bypass native Microsoft 365 security controls. Unlike traditional Adversary-in-the-Middle (AiTM) attacks that require a reverse proxy for credential interception, this technique abuses the legitimate OAuth2 Device Authorization Grant flow. By manipulating users into authenticating a session initiated by the attacker, Tycoon2FA effectively hijacks accounts—even those protected by multi-factor authentication (MFA)—without stealing the user's password. The abuse of Trustifi click-tracking URLs adds a layer of obfuscation, allowing these phishing lures to slip past email security gateways (ESGs). This is an active, in-the-wild threat that requires immediate defensive tuning to prevent tenant takeover.

Technical Analysis

Affected Products & Platforms:

  • Platform: Microsoft 365 (Entra ID / Azure Active Directory)
  • Service: Microsoft Authentication Library (MSAL) / OAuth 2.0 Device Authorization Grant endpoint
  • Third-Party: Trustifi (abused for URL redirection/cloaking)

Attack Mechanism:

  1. Initiation: The attacker uses an automated script (part of the Tycoon2FA kit) to initiate a login to the Microsoft device code endpoint (login.microsoftonline.com/common/oauth2/v2.0/devicecode).
  2. Code Generation: Microsoft responds with a user code (e.g., D4Q9L-WXYZ) and a verification URL.
  3. Social Engineering: The attacker sends a phishing email containing a Trustifi link. This link redirects the victim to a Tycoon2FA-controlled page instructing them to sign in to verify their account (often masquerading as MFA verification or a security update).
  4. Token Exchange: The victim visits the legitimate Microsoft verification URL and enters the code provided by the attacker. The victim then completes the authentication process, including MFA, on their own device.
  5. Session Hijack: Once authenticated, the attacker's script polls the token endpoint. Since the victim approved the code, Microsoft issues valid access and refresh tokens to the attacker. The attacker now has a persistent session to the victim's M365 account (Exchange, SharePoint, Teams).

Exploitation Status: Confirmed active exploitation. Tycoon2FA is a commercially available PhaaS kit, significantly lowering the barrier to entry for cybercriminals.

Detection & Response

The following detection logic focuses on identifying the specific behavior of the OAuth2 Device Code flow, particularly when initiated from unexpected contexts or locations, and the network patterns associated with the Tycoon2FA kit.

YAML
---
title: Potential Tycoon2FA Device Code Login
id: b7e8d9f0-1a2b-3c4d-5e6f-7a8b9c0d1e2f
status: experimental
description: Detects sign-ins using the Device Code authentication flow, often abused by Tycoon2FA. While legitimate for some Linux/CLI tools, it is rare for typical user workstations.
references:
  - https://attack.mitre.org/techniques/T1552.001/
  - https://www.bleepingcomputer.com/news/security/tycoon2fa-hijacks-microsoft-365-accounts-via-device-code-phishing/
author: Security Arsenal
date: 2025/04/03
tags:
  - attack.credential_access
  - attack.t1528
logsource:
  product: azure
  service: sign_in_logs
detection:
  selection:
    AuthenticationDetails|contains: 'deviceCode'
  filter_legit_apps:
    AppDisplayName|contains:
      - 'Azure CLI'
      - 'Azure PowerShell'
      - 'Microsoft Teams'
  condition: selection and not filter_legit_apps
falsepositives:
  - Legitimate use of Azure CLI or PowerShell modules on non-Windows workstations
level: high
---
title: Tycoon2FA Network Indicator - Device Code Endpoint
id: c9f0e1d2-3b4c-5d6e-7f8a-9b0c1d2e3f4a
status: experimental
description: Detects processes contacting the Microsoft device code endpoint, indicative of phishing kit tooling running on the network or an endpoint.
references:
  - https://www.bleepingcomputer.com/news/security/tycoon2fa-hijacks-microsoft-365-accounts-via-device-code-phishing/
author: Security Arsenal
date: 2025/04/03
tags:
  - attack.command_and_control
  - attack.t1071
logsource:
  category: network_connection
  product: windows
detection:
  selection:
    DestinationHostname|contains: 'login.microsoftonline.com'
    RequestURI|contains: '/devicecode'
  filter_browser:
    Image|contains:
      - '\chrome.exe'
      - '\msedge.exe'
      - '\firefox.exe'
  condition: selection and not filter_browser
falsepositives:
  - Administrators using Azure PowerShell or CLI
level: medium


**KQL (Microsoft Sentinel / Defender):**
KQL — Microsoft Sentinel / Defender
// Hunt for Device Code Logins
SigninLogs
| where AuthenticationDetails has "deviceCode"
| extend AppName = AppDisplayName, DeviceId = DeviceDetail.deviceId, Browser = DeviceDetail.browser
| project TimeGenerated, UserPrincipalName, AppName, IPAddress, Location, ResultDescription, Browser, DeviceId
| order by TimeGenerated desc

// Correlate with Risky Sign-ins
SigninLogs
| where AuthenticationDetails has "deviceCode"
| join kind=inner RiskyUsers on UserPrincipalName
| project TimeGenerated, UserPrincipalName, RiskLevel, RiskDetail, IPAddress


**Velociraptor VQL:**
VQL — Velociraptor
-- Hunt for processes contacting Microsoft Device Code endpoint
SELECT Pid, Name, CommandLine, Exe, Username
FROM process_dns_lookup()
WHERE Fqdn =~ 'login.microsoftonline.com'

-- Hunt for network connections to the specific endpoint
SELECT RemoteAddress, RemotePort, Pid, Name, Username
FROM netstat()
WHERE RemoteAddress =~ 'login.microsoftonline.com'
  AND Pid IN (SELECT Pid FROM pslist() WHERE Name NOT IN ('chrome.exe', 'msedge.exe', 'firefox.exe'))


**Remediation Script (PowerShell):**

This script audits the Entra ID tenant for Conditional Access policies that specifically block the Device Code flow, which is the primary mitigation.

PowerShell
# requires AzureAD or Microsoft.Graph module
# Connect-AzureAD (Run as Admin)

Write-Host "Auditing Conditional Access Policies for Device Code Flow restrictions..." -ForegroundColor Cyan

$Policies = Get-AzureADMSConditionalAccessPolicy

$DeviceCodePolicies = $Policies | Where-Object { 
    $_.Conditions.ClientAppTypes -contains "All" -or 
    $_.Conditions.ClientAppTypes -contains "EAS" -or 
    $_.State -eq "enabled" 
}

$Found = $false
foreach ($Policy in $DeviceCodePolicies) {
    # Check if the policy restricts 'Other' client types or specifically targets device code flows via grant controls
    # Device Code flow is often filtered by blocking 'Exchange ActiveSync' or 'Other' clients if not explicitly handled
    # or by requiring Compliant Device/Workplace Joined conditions which device code often fails to provide.
    
    $Controls = $Policy.GrantControls.BuiltInControls
    $Conditions = $Policy.Conditions
    
    if ($Controls -contains "block" -and $Conditions.Locations -ne $null) {
        Write-Host "[!] Found Blocking Policy: $($Policy.DisplayName)" -ForegroundColor Yellow
        Write-Host "    State: $($Policy.State)"
        Write-Host "    User Targeting: $($Policy.Conditions.Users.IncludeSgp.Length) groups"
        $Found = $true
    }
}

if (-not $Found) {
    Write-Host "WARNING: No explicit blocking Conditional Access policies detected for legacy/client flows." -ForegroundColor Red
    Write-Host "ACTION REQUIRED: Create a CA policy blocking Device Code flow or restricting legacy authentication." -ForegroundColor Red
}

Remediation

  1. Conditional Access (Primary Fix):

    • Create a Conditional Access policy targeting All Users.
    • Set Client Apps to Exchange ActiveSync clients and Other clients (This captures many device code implementations).
    • Configure Grant controls to Block access.
    • Alternative: If you require legacy auth for specific users, exclude them from this block and apply a "Require Compliant Device" or "Require Multi-Factor Authentication" control specifically to the "Other" client type, though blocking is preferred.

  2. Disable Legacy Authentication:

    • Ensure Security Defaults are enabled (which blocks legacy auth) or manually disable legacy protocols (SMTP, POP3, IMAP, etc.) unless strictly necessary via Authentication Methods in Entra ID.

  3. URL Filtering:

    • If Trustifi click-tracking is not required for business operations, consider blocking or deep-inspecting links originating from trustifi.com or checking your Secure Email Gateway (SEG) for rewrite rules involving these domains.

  4. User Awareness:

    • Update security awareness training to include specific examples of "Device Code" phishing (e.g., "Enter this code on your computer to verify your login").

Related Resources

Security Arsenal Healthcare Cybersecurity AlertMonitor Platform Book a SOC Assessment healthcare Intel Hub

healthcare-cybersecurityhipaa-compliancehealthcare-ransomwareehr-securitymedical-data-breachmicrosoft-365tycoon2fadevice-code-phishing

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action