Tycoon2FA Returns With Device Code Phishing - After March Takedown | Blog

The Tycoon2FA phishing kit was supposed to be dead.

International law enforcement took it down in March. Infrastructure seized. Operators disrupted. And yet here we are in May, watching it bounce back with new features.

The latest addition? Device code phishing.

Device code flow was designed for devices that cannot easily show a login screen - think IoT devices, command-line tools, smart TVs. You get a code and a URL. Enter the code on another device, and you are authenticated. It is a legitimate OAuth 2.0 mechanism.

Tycoon2FA turned it into a weapon.

Here is how it works: The victim gets an email that looks legitimate. Inside is a link that routes through Trustifi click-tracking URLs. That forwards to a fake Microsoft 365 login page. But instead of asking for a password, it displays a device authorization code.

The victim enters that code on their real Microsoft account. Their account authenticates Tycoon2FA device instead. The attacker now has a token. Not a password - a token, which can be refreshed indefinitely.

This matters because device code attacks bypass traditional phishing detection. Security tools look for credential input fields. They look for password harvesting. Device code authentication happens on Microsofts actual site. The malicious part is just the social engineering.

The March takedown should have been a win. Instead, it was a temporary inconvenience. Abnormal Security reports Tycoon2FA is back to normal activity and has added obfuscation layers specifically designed to frustrate future disruption attempts.

This is a pattern I keep seeing: takedowns work temporarily, but phishing kits are modular and cheap to rebuild. The developers learn from each disruption and come back harder.

What this means for defenders: train users to recognize unsolicited device authorization requests. No legitimate service sends these out of the blue. If you did not initiate a login, do not enter a code.