Find notable cyber news and cases, enriched with sources, timelines, and signals.

Tycoon2FA device-code phishing campaign targeting Microsoft 365

Campaign
First reported
Last updated
Happening score
H score 46
1 unique sources, 1 articles

Summary

Hide ▲

The Tycoon2FA phishing operation added device-code phishing to hijack Microsoft 365 accounts, expanding its ability to steal access tokens and reach email, calendar, and cloud file storage. It had been rebuilt after a March law-enforcement disruption and quickly returned to regular activity on new infrastructure. The campaign used Trustifi click-tracking URLs and the OAuth 2.0 device authorization grant flow to trick victims into authorizing attacker-controlled devices. Researchers also found stronger anti-analysis defenses and a 230-vendor blocklist, showing the operation is still evolving.

Related Happenings

UNC5221 Brickstorm, Plenet, and AgentPSD access-maintenance malware activity

Malware Activity
H score16 First: 05.06.2026 21:09 Last: 05.06.2026 21:09 Sources 1

About this happening: The **Brickstorm** malware set enabled **UNC5221 / VerdantBamboo** to keep long-term access inside victim infrastructure, including **Microsoft 365**, raising the risk of stealthy...

Microsoft 365 Android apps token-sharing flaw (multiple vulnerabilities)

Vulnerability
H score21 First: 03.06.2026 17:56 Last: 03.06.2026 17:56 Sources 1

About this happening: **Microsoft 365 Android apps** were exposed by a leftover **setIsDebugMode(true)** flag that let same-device apps steal account tokens and act as the signed-in user. The flaw coul...

Azure Backup for AKS Trusted Access permission tightening

Security Patch Release
H score8 First: 16.05.2026 23:55 Last: 16.05.2026 23:55 Sources 1

About this happening: **Microsoft** appears to have silently tightened **Azure Backup for AKS**, closing a **Trusted Access** authorization path that could let a low-privileged role reach **cluster-adm...

KongTuke Microsoft Teams initial access campaign

Campaign
H score42 First: 14.05.2026 15:12 Last: 14.05.2026 15:12 Sources 1

About this happening: The **KongTuke** campaign now uses **Microsoft Teams** social engineering to gain persistent access to **corporate networks**, shortening initial compromise to **under five minute...

Microsoft Defender false-positively flags DigiCert root certificates and removes some from Windows trust store

Security Tool/Service
H score11 First: 03.05.2026 21:11 Last: 03.05.2026 21:11 Sources 1

About this happening: **Microsoft Defender** began falsely flagging valid **DigiCert root certificates** as **Trojan:Win32/Cerdigent.A!dha**, creating widespread false positives and risking certificate...

Timeline

  1. 17.05.2026 17:43 2 articles · 1mo ago

    Tycoon2FA adds device-code phishing to hijack Microsoft 365 accounts

    Initial Disclosure

    eSentire reports that Tycoon2FA rebuilt after a March law-enforcement disruption, returned to regular activity on new infrastructure, and by late April was using OAuth 2.0 device authorization grant flows and Trustifi click-tracking URLs in invoice-themed lure emails to steal OAuth access and refresh tokens from Microsoft 365 accounts; the kit also added new obfuscation layers, a 230-vendor blocklist, and anti-analysis checks, while defenders are advised to disable unused OAuth device code flow and monitor Entra logs for deviceCode authentication.

    Show sources