Tycoon 2FA Returns With OAuth-Based Phishing to Bypass Microsoft 365 Security

Cybercriminals are once again refining their tactics, as the Tycoon 2FA phishing kit evolves to target Microsoft 365 accounts. Instead of stealing passwords, attackers now manipulate users into granting access through device‑code techniques, which makes the attack harder to detect and block.

Earlier this month, researchers reported that the Tycoon 2FA phishing kit had returned to full operation, with added layers of obfuscation to better resist disruption efforts. In late April, it was also seen in a campaign exploiting OAuth 2.0 device authorization flows to gain access to Microsoft 365 accounts.

According to new research from eSentire, attackers behind the Tycoon 2FA phishing‑as‑a‑service (PhaaS) kit are still active despite a major takedown earlier this year. Instead of stealing credentials directly, they have adapted their existing toolkit to exploit OAuth device authorization flows. The underlying infrastructure and techniques of the kit remain mostly unchanged, and only the method of data theft has evolved.

How do attackers bypass traditional credential theft?

In this attack method, victims are persuaded to complete what appears to be a legitimate Microsoft device login process using the official device login page. However, instead of entering credentials, they unknowingly approve access by granting authentication tokens, which allows attackers to gain entry to Microsoft 365 accounts. This means that a single approval can provide wide-ranging access to services such as Outlook, OneDrive, and Microsoft Graph.

This campaign uses a four-layer in-browser payload delivery system to hide malicious content.
The list of techniques includes encryption and obfuscation of scripts, reconstructing suspicious commands dynamically (e.g., hiding “eval” usage), and anti-debugging tricks and developer-tool blocking.

Advanced evasion techniques keep the phishing kit hidden

The phishing kit is designed to evade detection by actively identifying and filtering out security analysis environments. It detects headless browsers and automated tools, blocks traffic from known security vendors, cloud providers, VPNs, and sandbox platforms through ASN-based filtering, and redirects suspicious visitors to legitimate Microsoft pages. This large and frequently updated blocklist shows that the kit is continuously maintained and refined.

Victims are shown a fake CAPTCHA-style “HumanCheck” page to appear legitimate and filter automated traffic. A “Check Domain” mechanism allows attackers to dynamically decide whether a visitor should see the phishing content. Campaigns are also time-limited, with built-in expiration dates to reduce forensic analysis opportunities.

Recommended defenses against OAuth-based phishing attacks

It’s highly recommended that organizations strengthen their defenses by focusing on conditional access controls and stricter OAuth governance. This includes limiting or monitoring device‑code authentication flows, enforcing least‑privilege access for applications, and closely reviewing OAuth consent activity to detect unusual token grants tied to Microsoft 365 accounts.

They should also improve email security, user awareness, and detection capabilities to counter advanced phishing techniques. Moreover, training users to recognize suspicious login requests, implementing advanced phishing protection, and monitoring for abnormal sign‑ins or token usage can help reduce risk. It’s also advised to tune threat detection systems to identify evasive behavior such as traffic filtering, redirection patterns, and misuse of trusted platforms in phishing chains.