Tycoon2FA device-code phishing campaign targeting Microsoft 365
Campaign
Summary
Hide ▲
Show ▼
The Tycoon2FA phishing operation added device-code phishing to hijack Microsoft 365 accounts, expanding its ability to steal access tokens and reach email, calendar, and cloud file storage. It had been rebuilt after a March law-enforcement disruption and quickly returned to regular activity on new infrastructure. The campaign used Trustifi click-tracking URLs and the OAuth 2.0 device authorization grant flow to trick victims into authorizing attacker-controlled devices. Researchers also found stronger anti-analysis defenses and a 230-vendor blocklist, showing the operation is still evolving.
Related Happenings
UNC5221 Brickstorm, Plenet, and AgentPSD access-maintenance malware activity
Malware Activity
H score16
First: 05.06.2026 21:09
Last: 05.06.2026 21:09
Sources 1
About this happening:
The **Brickstorm** malware set enabled **UNC5221 / VerdantBamboo** to keep long-term access inside victim infrastructure, including **Microsoft 365**, raising the risk of stealthy...
UNC5221 Brickstorm, Plenet, and AgentPSD access-maintenance malware activity
Malware ActivityAbout this happening: The **Brickstorm** malware set enabled **UNC5221 / VerdantBamboo** to keep long-term access inside victim infrastructure, including **Microsoft 365**, raising the risk of stealthy...
Microsoft 365 Android apps token-sharing flaw (multiple vulnerabilities)
Vulnerability
H score21
First: 03.06.2026 17:56
Last: 03.06.2026 17:56
Sources 1
About this happening:
**Microsoft 365 Android apps** were exposed by a leftover **setIsDebugMode(true)** flag that let same-device apps steal account tokens and act as the signed-in user. The flaw coul...
Microsoft 365 Android apps token-sharing flaw (multiple vulnerabilities)
VulnerabilityAbout this happening: **Microsoft 365 Android apps** were exposed by a leftover **setIsDebugMode(true)** flag that let same-device apps steal account tokens and act as the signed-in user. The flaw coul...
Azure Backup for AKS Trusted Access permission tightening
Security Patch Release
H score8
First: 16.05.2026 23:55
Last: 16.05.2026 23:55
Sources 1
About this happening:
**Microsoft** appears to have silently tightened **Azure Backup for AKS**, closing a **Trusted Access** authorization path that could let a low-privileged role reach **cluster-adm...
Azure Backup for AKS Trusted Access permission tightening
Security Patch ReleaseAbout this happening: **Microsoft** appears to have silently tightened **Azure Backup for AKS**, closing a **Trusted Access** authorization path that could let a low-privileged role reach **cluster-adm...
KongTuke Microsoft Teams initial access campaign
Campaign
H score42
First: 14.05.2026 15:12
Last: 14.05.2026 15:12
Sources 1
About this happening:
The **KongTuke** campaign now uses **Microsoft Teams** social engineering to gain persistent access to **corporate networks**, shortening initial compromise to **under five minute...
KongTuke Microsoft Teams initial access campaign
CampaignAbout this happening: The **KongTuke** campaign now uses **Microsoft Teams** social engineering to gain persistent access to **corporate networks**, shortening initial compromise to **under five minute...
Microsoft Defender false-positively flags DigiCert root certificates and removes some from Windows trust store
Security Tool/Service
H score11
First: 03.05.2026 21:11
Last: 03.05.2026 21:11
Sources 1
About this happening:
**Microsoft Defender** began falsely flagging valid **DigiCert root certificates** as **Trojan:Win32/Cerdigent.A!dha**, creating widespread false positives and risking certificate...
Microsoft Defender false-positively flags DigiCert root certificates and removes some from Windows trust store
Security Tool/ServiceAbout this happening: **Microsoft Defender** began falsely flagging valid **DigiCert root certificates** as **Trojan:Win32/Cerdigent.A!dha**, creating widespread false positives and risking certificate...
Timeline
-
17.05.2026 17:43 2 articles · 1mo ago
Tycoon2FA adds device-code phishing to hijack Microsoft 365 accounts
Initial DisclosureeSentire reports that Tycoon2FA rebuilt after a March law-enforcement disruption, returned to regular activity on new infrastructure, and by late April was using OAuth 2.0 device authorization grant flows and Trustifi click-tracking URLs in invoice-themed lure emails to steal OAuth access and refresh tokens from Microsoft 365 accounts; the kit also added new obfuscation layers, a 230-vendor blocklist, and anti-analysis checks, while defenders are advised to disable unused OAuth device code flow and monitor Entra logs for deviceCode authentication.
Show sources
- Tycoon2FA hijacks Microsoft 365 accounts via device-code phishing — www.bleepingcomputer.com — 17.05.2026 17:43
- Tycoon2FA hijacks Microsoft 365 accounts via device-code phishing — www.bleepingcomputer.com — 17.05.2026 17:43