Tycoon2FA Phishing Kit Evolves to Hijack Microsoft 365 Accounts
The Tycoon2FA phishing-as-a-service kit, which survived a March law enforcement disruption, now supports device-code phishing attacks. It abuses Trustifi click-tracking URLs and OAuth 2.0 device authorization flows to register rogue devices and hijack Microsoft 365 accounts, granting attackers full access to email, calendar, and cloud storage.
- credentials
- account-access
- oauth-tokens
A phishing-as-a-service kit known as Tycoon2FA has added support for device-code phishing attacks that hijack Microsoft 365 accounts, granting attackers persistent access to email, calendars, and cloud storage through abused OAuth 2.0 flows and Trustifi click-tracking URLs.
Public reporting from BleepingComputer indicates the kit survived a law enforcement disruption in March 2026 and has since evolved to target the device authorization grant type. Attackers use this method to register rogue devices without requiring the victim to enter credentials directly into a phishing page. The updated kit registers malicious OAuth applications that can maintain long-term access even after initial session tokens expire. Available reporting describes the technique as particularly effective against organizations using Microsoft 365 because it bypasses many traditional phishing defenses that focus on credential-harvesting pages.
Want the rest of this breakdown?
Sign up free to keep reading. Members get extended access, the weekly breach digest, and a complimentary Warden™ to see if their identity is exposed in the breaches we cover.
A breach leaks your credentials. Then hackers chain those credentials to your address, family, phone, and employer using public broker sites. We’re the only tool built around that chain.
⚠ Were you in this breach?
Free email scanner. We check your address against 15.4B+ leaked records in 15 seconds — then show you the $19 cleanup that removes you from the broker sites aggregating leaked data.
Check my email — free →