Tycoon 2FA Phishers Scatter, Adopt Device Code Phishing

Threat actors associated with the Tycoon 2FA phishing toolkit have evolved their tactics by adopting device code phishing techniques. This method exploits legitimate OAuth-based device authorization flows used by cloud services like Microsoft, Google, and GitHub. Attackers manipulate users into unknowingly approving authentication requests for attacker-controlled devices, effectively bypassing multi-factor authentication (MFA). The technique is difficult to detect because it uses valid, trusted authentication mechanisms rather than malicious code. Organizations should implement conditional access policies, monitor for suspicious device approvals, and educate users about device code authentication flows to mitigate this credential theft risk.

In embracing device code phishing, attackers trick victims into handing over account access by using a service's legitimate new-device login flow.

Threat actors associated with the Tycoon 2FA phishing toolkit have evolved their tactics by adopting device code phishing techniques. This method exploits legitimate OAuth-based device authorization flows used by cloud services like Microsoft, Google, and GitHub. Attackers manipulate users into unknowingly approving authentication requests for attacker-controlled devices, effectively bypassing multi-factor authentication (MFA). The technique is difficult to detect because it uses valid, trusted authentication mechanisms rather than malicious code. Organizations should implement conditional access policies, monitor for suspicious device approvals, and educate users about device code authentication flows to mitigate this credential theft risk. In embracing device code phishing, attackers trick victims into handing over account access by using a service's legitimate new-device login flow. In embracing device code phishing, attackers trick victims into handing over account access by using a service's legitimate new-device login flow.