GoKawiilThe Tycoon2FA phishing kit now supports device-code phishing attacks and abuses Trustifi click-tracking URLs to hijack Microsoft 365 accounts.
Despite an international law enforcement operation disrupting the Tycoon2FA phishing platform in March, the malicious operation was rebuilt on new infrastructure and quickly returned to regular activity levels.
Earlier this month, Abnormal Security confirmed that Tycoon2FA had rebounded to normal operations and even added new obfuscation layers to strengthen its resilience against new disruption attempts.
In late April, Tycoon2FA was observed in a campaign that leveraged the OAuth 2.0 device authorization grant flows to compromise Microsoft 365 accounts, indicating that the operator continues to develop the kit.
Device code phishing is a type of attack in which threat actors send a device authorization request to the target service’s provider and forward the generated code to the victim, tricking them into entering it on the service’s legitimate login page.
Doing so authorizes the attacker to register a rogue device with the victim’s Microsoft 365 account, giving them unrestricted access to the victim's data and services, including email, calendar, and cloud file storage.
Push Security recently warned that this type of attack has increased by 37x this year, supported by at least ten distinct phishing-as-a-service (PhaaS) platforms and private kits. A more recent report by Proofpoint records a similar surge in the use of the tactic.
Tycoon2FA adds device-code phishing
According to new research from managed detection and response company eSentire, Tycoon2FA confirms that device code phishing has become highly popular among cybercriminals.
“The attack begins when a victim clicks a Trustifi click-tracking URL in a lure email and culminates in the victim unknowingly granting OAuth tokens to an attacker-controlled device through Microsoft's legitimate device-login flow at microsoft.com/devicelogin,” explains eSentire.
... continue reading