The Tycoon2FA phishing kit has resurfaced with new capabilities, including support for device-code phishing attacks that target Microsoft 365 accounts, according to eSentire. Despite a recent law enforcement disruption, the platform has been rebuilt and is now employing advanced techniques to bypass security measures, with further coverage provided by Bleeping Computer.The Tycoon2FA phishing kit has adapted to leverage OAuth 2.0 device authorization grant flows, enabling it to compromise Microsoft 365 accounts. This method tricks victims into authorizing a rogue device by entering a code on Microsoft's legitimate login page, granting attackers access to sensitive data. The attack chain involves a lure email with a Trustifi click-tracking URL, which redirects through multiple layers of obfuscation before presenting a fake Microsoft CAPTCHA page. The victim is then prompted to enter a device code, completing multi-factor authentication and issuing OAuth tokens to the attacker.The kit incorporates robust anti-analysis measures, blocking researchers, security vendors, and automated scanning tools. eSentire recommends disabling the OAuth device code flow when not in use, restricting OAuth consent, and enhancing monitoring of Microsoft Entra logs to mitigate these threats.Source: Bleeping Computer
Get daily email updates
SC Media's daily must-read of the most current and pressing daily news
You can skip this ad in 5 seconds




