Back

Tycoon 2FA Phishing Campaign Uses OAuth Device Code Abuse to Bypass MFA

Severity: High (Score: 66.5)

Sources: Gbhackers, Cybersecuritynews

Summary

A new phishing campaign linked to the Tycoon 2FA Phishing-as-a-Service kit has emerged, utilizing OAuth Device Code phishing to bypass multi-factor authentication (MFA) without capturing passwords. This campaign was identified in late April 2026, shortly after a global takedown of Tycoon 2FA infrastructure by Microsoft and Europol. The attackers have adapted their tactics to exploit OAuth Device Code abuse, specifically targeting Microsoft 365 accounts. This method allows cybercriminals to gain unauthorized access without traditional credential theft. The Tycoon 2FA kit has evolved from a simple phishing tool to a more sophisticated platform capable of evading common security measures. As of now, the threat remains active and poses significant risks to organizations using Microsoft 365 services. Key Points: • Tycoon 2FA operators have adopted OAuth Device Code phishing to bypass MFA. • The campaign emerged after a recent takedown of Tycoon 2FA infrastructure. • Cybercriminals can access Microsoft 365 accounts without capturing passwords.

Key Entities

  • Phishing (attack_type)
  • T1566 - Phishing (mitre_attack)
  • Microsoft 365 (platform)
Loading threat details...

Threat Not Found

The threat cluster you're looking for doesn't exist or has been removed.

Return to Feed