Tycoon2FA: The Advanced Phishing Kit Hijacking Microsoft 365 Accounts by Bypassing MFA

A sophisticated phishing-as-a-service kit known as Tycoon2FA is being used to bypass Microsoft 365 multi-factor authentication, with device-code phishing attacks increasing 37-fold in recent months.

What Is Tycoon2FA?

Tycoon2FA is a Phishing-as-a-Service (PhaaS) platform that allows cybercriminals — even those without advanced technical skills — to conduct highly sophisticated attacks against Microsoft 365 accounts. What makes it particularly dangerous is its ability to bypass multi-factor authentication (MFA), a security control that many organisations rely on as a primary defence against account compromise.

How the Attack Works: A Four-Layer Chain

The Tycoon2FA attack chain is cleverly engineered to evade both human suspicion and automated security tools:

1. Layer 1 — Trusted delivery via Trustifi: The initial phishing link is sent through Trustifi, a legitimate email security platform. This means the email often passes spam and phishing filters, as it originates from a trusted service with a clean reputation.
2. Layer 2 — Cloudflare Workers redirect: Clicking the link routes the victim through a Cloudflare Workers script. Cloudflare’s infrastructure is trusted by most security tools, allowing the redirect to bypass URL reputation checks.
3. Layer 3 — Fake CAPTCHA page: The victim is presented with a convincing CAPTCHA verification page. This adds apparent legitimacy to the site and helps filter out automated scanning bots that security researchers use to analyse phishing pages.
4. Layer 4 — Device-code phishing: The victim is directed to a page that requests they enter a Microsoft device code. This abuses the OAuth 2.0 device authorisation flow — a legitimate Microsoft mechanism designed for devices without keyboards (like smart TVs) to authenticate users.

Understanding Device-Code Phishing

Device-code phishing exploits a legitimate Microsoft authentication flow. In a normal scenario, a device without a browser generates a short code and asks the user to visit a Microsoft URL on another device to authenticate. Tycoon2FA reverses this: the attacker generates the code, tricks the victim into authorising it, and receives a fully authenticated session token — including any MFA that was applied.

This is why this technique is so effective: the victim completes a genuine Microsoft authentication flow, sees no red flags, but the resulting access token goes to the attacker rather than a legitimate application.

The Scale of the Threat

Security researchers have observed a 37-fold increase in device-code phishing attacks over recent months. The Tycoon2FA kit also maintains a blocklist of over 230 vendor names — blocking visits from known security company IP ranges to prevent researchers from easily analysing the phishing pages.

How to Defend Against Tycoon2FA

Given that this attack bypasses standard MFA, organisations need to implement additional controls:

• Disable OAuth device code flow in Microsoft Entra ID (formerly Azure AD) Conditional Access policies if your organisation does not use devices that require this flow.
• Restrict user consent so that users cannot grant third-party applications access to Microsoft 365 data without administrator approval.
• Enable Continuous Access Evaluation (CAE) — a Microsoft feature that allows real-time revocation of access tokens when suspicious activity is detected, reducing the window of opportunity for attackers using stolen tokens.
• Use phishing-resistant MFA such as FIDO2 security keys or Windows Hello for Business, which are not vulnerable to device-code phishing.
• Security awareness training — educate users about device-code phishing specifically, as it looks and feels different from traditional credential-harvesting phishing.

BIT Tech’s Approach to Microsoft 365 Security

At BIT Tech IT Solutions, we help organisations configure Microsoft 365 and Entra ID with security best practices in mind, including Conditional Access policies that can block device-code authentication flows and restrict application consent. We also provide cybersecurity awareness training to help your team recognise sophisticated phishing attempts.

If you’re concerned about your Microsoft 365 security posture, contact us today for a review.