Tycoon 2FA Operators Pivot to Device Code Phishing After Takedown Pressure

Operators behind the Tycoon 2FA phishing-as-a-service kit are fragmenting and shifting tactics, moving toward device code phishing as law enforcement and platform defenders erode their traditional adversary-in-the-middle infrastructure. Device code flows abuse legitimate OAuth authorization endpoints, letting attackers trick users into approving a sign-in on an attacker-controlled device - bypassing many MFA controls without needing to proxy credentials in real time.

The shift matters because device code phishing leaves far fewer of the telltale artifacts defenders have tuned detections around: no lookalike domain, no reverse-proxy TLS fingerprint, no session-cookie theft at a malicious origin. The authentication itself happens on Microsoft or Google infrastructure, which makes URL-based blocking and conditional access policies keyed to suspicious hosts largely ineffective.

Defenders need to treat device code grants as a first-class risk surface: restrict or disable the flow where it isn’t required, alert on device code authentications from unusual geographies or unmanaged endpoints, and educate users that any prompt to type a short code into a Microsoft or Google login page outside of a known enrollment workflow is suspect.