Tycoon2FA hijacks Microsoft 365 accounts via device-code phishing
Summary
The Tycoon2FA phishing kit has been updated to support device-code phishing attacks, allowing threat actors to hijack Microsoft 365 accounts. This new method leverages Trustifi's click-tracking URLs to facilitate the attack.
IFF Assessment
The development of new phishing techniques that can successfully hijack user accounts is bad news for defenders, as it increases the attack surface and the likelihood of successful compromises.
Defender Context
This attack highlights the evolving nature of phishing campaigns, particularly their ability to bypass traditional security measures like multi-factor authentication by exploiting device authorization flows. Defenders should educate users on the risks of interacting with unexpected authorization prompts and monitor for suspicious device registration activities within their Microsoft 365 environments.