Tycoon 2FA Hijacks Microsoft 365 Accounts via OAuth Device Codes, Evading 2026 Takedown
Updated
Updated · Petri.com · May 18
Tycoon 2FA Hijacks Microsoft 365 Accounts via OAuth Device Codes, Evading 2026 Takedown
2 articles · Updated · Petri.com · May 18
eSentire said the revived Tycoon 2FA kit is using Microsoft’s OAuth 2.0 device authorization flow to trick users into granting tokens, letting attackers silently access Microsoft 365 without stealing passwords.
A single approval can open Outlook, OneDrive and Microsoft Graph, because victims complete what looks like a legitimate login on Microsoft’s official device sign-in page.
Four in-browser payload layers help the kit stay hidden, with encrypted scripts, dynamically rebuilt commands, anti-debugging measures and fake CAPTCHA-style “HumanCheck” pages.
The campaign also filters out defenders by detecting headless browsers, blocking traffic from security vendors, cloud providers, VPNs and sandboxes, and redirecting suspicious visitors to real Microsoft pages.
Researchers said the infrastructure remains largely intact despite an earlier 2026 takedown, and urged tighter conditional access, stricter OAuth governance and closer monitoring of device-code logins and consent grants.
How do hackers now bypass multi-factor authentication without even stealing your password?
After a major takedown, why is this sophisticated phishing service still a global threat?
Tycoon 2FA’s Rapid Resurgence: 37x Surge in Device Code Phishing and the Ongoing Battle for Authentication Security (May 2026)
Overview
Despite a global takedown in March 2026, Tycoon 2FA—a sophisticated phishing-as-a-service platform—quickly rebuilt and resumed operations by May 2026. This rapid resurgence highlights the persistent challenge of eradicating advanced cybercriminal infrastructures and shows how threat actors adapt in today’s digital world. Their resilience is fueled by the nature of phishing campaigns, strategic use of evasion techniques, and backup hosting solutions, allowing attacks to continue even after initial disruptions. As a result, Tycoon 2FA’s return underscores the ongoing struggle for security teams to keep pace with evolving threats and the need for proactive, multi-layered defenses.