The Tycoon 2FA phishing-as-a-service platform is now using OAuth device code phishing to compromise devices that are protected by multifactor authentication, according to eSentire’s Threat Response Unit (TRU). Tycoon 2FA is one of the most active phishing kits and has resumed normal operations following a law enforcement takedown earlier this year.
“The attack begins when a victim clicks a Trustifi click-tracking URL in a lure email and culminates in the victim unknowingly granting OAuth tokens to an attacker-controlled device through Microsoft's legitimate device-login flow at microsoft.com/devicelogin,” the researchers write. “Connecting those two endpoints is a four-layer in-browser delivery chain whose Tycoon 2FA tradecraft is virtually unchanged from the credential-relay variant TRU documented in April 2025 and the post-takedown variant documented in April 2026.”
The attackers abuse legitimate services to avoid detection by security defenses and increase the appearance of credibility to the human user.
“The OAuth 2.0 Device Authorization Grant was designed for input-constrained devices - smart TVs, command-line tools, and appliances - where typing credentials is impractical,” the researchers explain. “The flow is intentionally indirect: the device asks the identity provider for a short user-facing code, the user enters that code from a different browser, signs in normally, and the identity provider returns tokens to the original device. The protocol has no cryptographic binding between the device that requested the code and the user's identity. Anyone who initiates a device-code grant for a Microsoft first-party AppId can collect the resulting tokens from any user who consents.”
Notably, this technique doesn’t exploit any technical vulnerabilities; it simply tricks users into unintentionally granting access to the attacker.
“The user's MFA worked exactly as designed,” eSentire says. “There is no proxy, no credential capture, no fake Microsoft page; everything from login.microsoftonline.com onward is authentic Microsoft infrastructure responding to authentic Microsoft authentication events. The phish does not bypass MFA - it changes what MFA is being used to authorize. The user thinks they are approving access for a voicemail player; they are actually approving token issuance to an attacker-controlled device.”
eSentire has the story: Tycoon 2FA Operators Adopt OAuth Device Code Phishing
