Tycoon2FA device-code phishing campaign targeting Microsoft 365
Campaign
Summary
Hide ▲
Show ▼
The Tycoon2FA phishing operation added device-code phishing to hijack Microsoft 365 accounts, expanding its ability to steal access tokens and reach email, calendar, and cloud file storage. It had been rebuilt after a March law-enforcement disruption and quickly returned to regular activity on new infrastructure. The campaign used Trustifi click-tracking URLs and the OAuth 2.0 device authorization grant flow to trick victims into authorizing attacker-controlled devices. Researchers also found stronger anti-analysis defenses and a 230-vendor blocklist, showing the operation is still evolving.
Related Happenings
Azure Backup for AKS Trusted Access permission tightening
Security Patch Release
First: 16.05.2026 23:55
Last: 16.05.2026 23:55
Sources 1
About this happening:
**Microsoft** appears to have silently tightened **Azure Backup for AKS**, closing a **Trusted Access** authorization path that could let a low-privileged role reach **cluster-adm...
Azure Backup for AKS Trusted Access permission tightening
Security Patch ReleaseAbout this happening: **Microsoft** appears to have silently tightened **Azure Backup for AKS**, closing a **Trusted Access** authorization path that could let a low-privileged role reach **cluster-adm...
KongTuke Microsoft Teams initial access campaign
Campaign
First: 14.05.2026 15:12
Last: 14.05.2026 15:12
Sources 1
About this happening:
The **KongTuke** campaign now uses **Microsoft Teams** social engineering to gain persistent access to **corporate networks**, shortening initial compromise to **under five minute...
KongTuke Microsoft Teams initial access campaign
CampaignAbout this happening: The **KongTuke** campaign now uses **Microsoft Teams** social engineering to gain persistent access to **corporate networks**, shortening initial compromise to **under five minute...
Microsoft Defender false-positively flags DigiCert root certificates and removes some from Windows trust store
Security Tool/Service
First: 03.05.2026 21:11
Last: 03.05.2026 21:11
Sources 1
About this happening:
**Microsoft Defender** began falsely flagging valid **DigiCert root certificates** as **Trojan:Win32/Cerdigent.A!dha**, creating widespread false positives and risking certificate...
Microsoft Defender false-positively flags DigiCert root certificates and removes some from Windows trust store
Security Tool/ServiceAbout this happening: **Microsoft Defender** began falsely flagging valid **DigiCert root certificates** as **Trojan:Win32/Cerdigent.A!dha**, creating widespread false positives and risking certificate...
Scattered Spider SMS phishing and SIM-swap crypto theft campaign
Campaign
First: 20.04.2026 16:33
Last: 20.04.2026 16:33
Sources 1
About this happening:
The **Scattered Spider** campaign used **SMS phishing** and **SIM swap** attacks to steal employee credentials, hijack phone numbers, and take over email and **virtual currency wa...
Scattered Spider SMS phishing and SIM-swap crypto theft campaign
CampaignAbout this happening: The **Scattered Spider** campaign used **SMS phishing** and **SIM swap** attacks to steal employee credentials, hijack phone numbers, and take over email and **virtual currency wa...
W3LL Microsoft 365 adversary-in-the-middle phishing campaign
Campaign
First: 13.04.2026 21:55
Last: 13.04.2026 21:55
Sources 1
About this happening:
The **W3LL** phishing operation turned into a high-volume **Microsoft 365** credential-theft campaign, exposing **more than 17,000 victims worldwide** to **BEC** risk. The kit use...
W3LL Microsoft 365 adversary-in-the-middle phishing campaign
CampaignAbout this happening: The **W3LL** phishing operation turned into a high-volume **Microsoft 365** credential-theft campaign, exposing **more than 17,000 victims worldwide** to **BEC** risk. The kit use...
Timeline
-
17.05.2026 17:43 2 articles · 10d ago
Tycoon2FA adds device-code phishing to hijack Microsoft 365 accounts
Initial DisclosureeSentire reports that Tycoon2FA rebuilt after a March law-enforcement disruption, returned to regular activity on new infrastructure, and by late April was using OAuth 2.0 device authorization grant flows and Trustifi click-tracking URLs in invoice-themed lure emails to steal OAuth access and refresh tokens from Microsoft 365 accounts; the kit also added new obfuscation layers, a 230-vendor blocklist, and anti-analysis checks, while defenders are advised to disable unused OAuth device code flow and monitor Entra logs for deviceCode authentication.
Show sources
- Tycoon2FA hijacks Microsoft 365 accounts via device-code phishing — www.bleepingcomputer.com — 17.05.2026 17:43
- Tycoon2FA hijacks Microsoft 365 accounts via device-code phishing — www.bleepingcomputer.com — 17.05.2026 17:43