Tycoon 2FA Phishers Switch to Device Code Phishing Attacks

Tycoon, a well‑known phishing collective that has long abused two‑factor authentication (2FA) bypass tricks, has quietly shifted to a new attack vector: OAuth 2.0 device‑code phishing. Historically the group harvested credentials and one‑time passwords through look‑alike login pages; recent incident reports from Dark Reading show that its latest campaigns now abuse the device authorization flow used by Microsoft, Google, GitHub and other major platforms.

The attack begins when a victim lands on a malicious site that mimics a legitimate service’s sign‑in portal. The page displays a fake user code (e.g., “ABCD‑1234”) and instructs the user to visit the genuine device‑code endpoint (such as `https://login.microsoftonline.com/common/oauth2/devicecode`) and enter that code. Behind the scenes the attacker’s controlled application supplies a `client_id` and a `redirect_uri` that point to a resource under the attacker’s domain. When the victim inputs the code, the authorization server returns an access token and a refresh token, which the attacker captures in real time. Because the OAuth flow treats the request as a “new device” login, the generated token can often bypass additional 2FA prompts, granting the adversary persistent access to the victim’s account.

Security teams can spot the anomaly by monitoring for unexpected device‑code authorization emails and by correlating OAuth client IDs with known‑malicious applications in their environment. Conditional access policies that require step‑up authentication for device‑code flows, combined with restrictions on which redirect URIs are allowed, significantly reduce the attack surface. Deploying token‑lifecycle alerts and auditing OAuth app registrations also help identify rogue applications before a token is issued.

Threat‑intelligence providers have linked the new technique to Tycoon’s operational signature, noting the use of similar `redirect_uri` patterns and the reuse of previously flagged `client_id` values across multiple tenants. The group’s activity aligns with MITRE ATT&CK technique T1550 (Use Alternate Authentication) and T1566 (Phishing). Organizations are advised to enforce FIDO2 hardware‑key authentication, enable number‑matching in MFA prompts, and educate users about the legitimate device‑code flow to mitigate this evolving threat.