What is Lyrie Research?

Lyrie Research is an autonomous cybersecurity intelligence platform publishing verified threat intelligence including critical CVEs, active exploitation reports, breach analysis, and original research — every article cross-validated by 3+ primary sources.

How does Lyrie.ai protect against rogue AI threats?

Lyrie.ai uses machine-speed autonomous defense to detect and neutralize rogue AI, prompt injection, and AI supply chain attacks. It responds before human analysts can react.

What cybersecurity topics does Lyrie Research cover?

Lyrie Research covers CVE deep dives, CISA KEV actively exploited vulnerabilities, data breach forensics, original cybersecurity research, and AI threat intelligence including agent-based attacks.

How often is Lyrie Research updated?

Lyrie Research is updated continuously by the autonomous Lyrie Sentinel engine, publishing new threat intelligence multiple times daily as new CVEs, exploits, and breaches are confirmed.

Is Lyrie Research free to access?

Yes, all articles on Lyrie Research are freely accessible. For active protection by the same intelligence engine, visit lyrie.ai.

← Threat-Intel

0 sources verified·6 min read

By Lyrie Threat Intelligence·5/17/2026

Tycoon2FA Weaponizes OAuth Device Code Phishing: The Post-Takedown Evolution

TL;DR

After being disrupted by Microsoft and Europol in March 2026, the Tycoon2FA phishing-as-a-service kit rebuilt on new infrastructure and has now evolved to deliver OAuth device-code phishing attacks targeting Microsoft 365 accounts. The kit abuses Trustifi click-tracking URLs and legitimate Microsoft authentication flows to steal OAuth tokens and bypass MFA entirely—appearing as a trusted Microsoft application in Entra telemetry.

What Happened

On May 17, 2026, eSentire's Threat Response Unit and BleepingComputer published analysis of an active Tycoon2FA campaign that integrates device-code OAuth phishing, a novel attack vector that has surged 37x globally this year.

Tycoon2FA, a commercial phishing-as-a-service platform, was partially dismantled in a March 2026 operation led by Microsoft and Europol. Within weeks, the threat actor rebuilt the kit on new infrastructure and resumed normal operations—but with a critical evolution: the operator is now leveraging OAuth 2.0 device authorization grant flows to silently register rogue devices on victim Microsoft 365 tenants.

The attack flow:

1. Phishing email arrives with a Trustifi click-tracking URL (appears clean, legitimate domain)

2. URL redirects via Cloudflare Workers throwaway subdomain to malicious payload

3. Victim lands on fake Microsoft CAPTCHA page

4. Attacker instructs victim to copy/paste device code to microsoft.com/devicelogin

5. Victim completes MFA on their own (unaware of the consent grant)

6. Microsoft issues OAuth access and refresh tokens to attacker's device

7. Attacker gains full Microsoft 365 access: email, calendar, OneDrive, Teams, Graph API

The attack never asks for passwords. MFA is bypassed entirely by weaponizing the legitimate device authorization flow—one of the few OAuth paths that doesn't require explicit admin consent.

Technical Details

The Supply Chain Weaponization

The campaign uses Trustifi, a legitimate enterprise email security platform, as a reputation-laundering proxy. Trustifi's click-tracker service is being used as designed, but redirects to attacker infrastructure. The URL begins with trustifi.com (bypassing gateway filtering), issues a clean-reputation 307 redirect through Cloudflare Workers, and delivers encrypted malicious payload.

eSentire's source-code analysis reveals four continuous fingerprints linking this variant to the original Tycoon2FA codebase:

1. Check Domain architecture — proprietary C2 pattern

2. CryptoJS AES-CBC encryption with hardcoded key/IV ("1234567890123456")

3. Anti-debug stack — F12, dev-tools, right-click suppression, debugger timing traps

4. Base64 XOR HTML wrapping pattern

The kit has evolved: it now encrypts operator session metadata instead of credentials. But the fingerprints are identical, confirming operational continuity.

Evasion Arsenal

The kit's blocklist now includes 230+ vendor names:

Selenium, Puppeteer, Playwright (browser automation)
Burp, Frida, Charles Proxy (security tools)
BrowserStack, Docker, AWS Lambda (cloud/sandbox detection)
ChatGPT, Claude, Gemini (AI crawlers)
NordVPN, ExpressVPN, consumer VPNs
Microsoft Defender, CrowdStrike, Sentinel One, Palo Alto

This indicates active maintenance against current analyst tooling—the attacker is monitoring security industry releases and updating blocklists accordingly.

OAuth Client Impersonation

The operator impersonates Microsoft Authentication Broker (AppId: 29d9ed98-a469-4536-ade2-f981bc1d605e), a legitimate Microsoft first-party application that brokers tokens to:

Exchange Online
Microsoft Graph
OneDrive for Business
SharePoint

A single OAuth consent yields working tokens for the entire Microsoft 365 surface. In Entra telemetry, it appears as a routine Microsoft application—invisible to most audit logs.

Infrastructure & Attribution

Operator polling originated from AS45102 (Alibaba Cloud) with Node.js HTTP library signatures (node, undici user agents). The domain pattern shivacrio[.]com/bytecore~tx1j8 matches URLscan hunting regexes published by eSentire's April 2026 infrastructure update, validating detection remains effective.

Lyrie Assessment

This campaign represents three converging attack paradigm shifts Lyrie's audience must internalize:

1. Password-Free Compromise via Legitimate Auth Flows

Traditional perimeter defense assumes passwords are the gating factor. This attack never asks for passwords. It weaponizes OAuth's device authorization grant—a flow explicitly designed for passwordless access (e.g., TV/IoT devices). The attacker is exploiting the security model itself.

Defender implication: CISOs overestimating MFA as a complete identity control. MFA protects only the initial login. OAuth token issuance is a separate gate—and this kit opens it without re-prompting the victim.

2. Supply Chain Exploitation via Trusted Intermediaries

Trustifi is a legitimate security vendor. The attacker isn't compromising it; they're abusing its design. This mirrors the Canvas breach pattern: "trusted" SaaS becomes an attack vector because:

Click-tracking is legitimate functionality
Redirects are expected behavior
The entry domain is categorized clean
The attacker's domain has zero reputation history

This is supply-chain weaponization through architectural trust, not vulnerability.

3. Autonomous Evasion & Real-Time Threat Intelligence

The 230-vendor blocklist is actively maintained. The operator is monitoring:

New browser automation frameworks (Playwright updates)
New threat intelligence tools
New sandboxes
LLM crawlers

This suggests automated threat intelligence ingestion—the attacker is likely monitoring security researcher GitHub repos, tool release notes, and adjusting blocklists on a cadence matching industry releases.

The inference: This operation has defensive automation. It's not one person copy-pasting blocklists manually. This is a mature phishing-as-a-service platform with autonomous operational security.

The Lyrie Angle

Autonomous defense systems face a critical vulnerability: the attacker's automation is often faster than the defender's automation. When phishing kits update blocklists against new detection tools in days, and you're still pushing pattern updates monthly, the asymmetry compounds.

Key recommendation for CISOs: Don't just monitor Entra logs for deviceCode authentication. Monitor for anomalous OAuth consent grants in general. The next kit will use a different OAuth flow. The signature isn't the flow; the signature is the pattern of rapid, bulk consent grants from previously unseen devices paired with zero password events.

This is precisely the type of attack that requires agentic AI defense—systems that can:

Detect anomalous consent grant patterns in real-time
Correlate Entra/OAuth logs with email gateway logs (phishing detection)
Revoke malicious OAuth grants before tokens are used
Hunt for compromised devices in Microsoft 365 (not just accounts)

Manual SOC responses to this attack are too slow.

Recommended Actions

Immediate (Next 7 Days)

1. Audit OAuth device code flow usage: Check if it's enabled in your Entra/Microsoft 365 tenant. If not actively needed, disable it via Restrict user ability to create tenants and device code grant policies.

2. Hunt Entra logs for deviceCode events:

   SignInLogs
   | where AuthenticationDetails has "deviceCode"
   | where ResultType == 0 (success)
   | extend DeviceInfo = parse_json(DeviceDetail)
   | where DeviceInfo.deviceId !in (YourKnownDevices)

3. Monitor OAuth app consent grants for any grant of "Microsoft Authentication Broker" or other Microsoft first-party apps by non-admin users in the past 30 days.

4. Email training: Teach teams to distrust requests to "verify" or "authorize" via external links. Real Microsoft flows never request manual code entry into a browser.

Short-Term (Next 30 Days)

5. Require admin approval for OAuth consent — enforce for all users, not just external apps.

6. Enable Continuous Access Evaluation (CAE) — this token-binding mechanism limits the window during which stolen OAuth tokens are useful.

7. Configure compliant device policies — restrict Microsoft 365 access to managed devices or require Intune enrollment.

8. Monitor Trustifi URLs in email gateway — if Trustifi isn't actively used in your org, block events.trustifi.com entirely.

Strategic (60+ Days)

9. Implement anomaly-based OAuth consent detection — flag bulk consent grants, unusual app permissions (e.g., Graph API read-all), or consent from legacy auth protocols.

10. Establish OAuth token revocation playbooks — train your SOC to revoke malicious grants immediately upon detection. Include customer notification if you're an MSP.

11. Deploy agentic threat response — consider AI-driven correlation of email gateway logs → OAuth consent logs → device registration logs, with autonomous remediation for high-confidence incidents.

Sources

1. BleepingComputer — "Tycoon2FA hijacks Microsoft 365 accounts via device-code phishing" (May 17, 2026): https://www.bleepingcomputer.com/news/security/tycoon2fa-hijacks-microsoft-365-accounts-via-device-code-phishing/

2. eSentire Threat Response Unit — "Tycoon 2FA Operators Adopt OAuth Device Code Phishing" (May 12, 2026): https://www.esentire.com/blog/tycoon-2fa-operators-adopt-oauth-device-code-phishing

3. Push Security — "Device code phishing attacks surge 37x as new kits spread online": https://www.bleepingcomputer.com/news/security/device-code-phishing-attacks-surge-37x-as-new-kits-spread-online/

4. Proofpoint — "Device Code Phishing Evolution & Identity Takeover": https://www.proofpoint.com/us/blog/threat-insight/device-code-phishing-evolution-identity-takeover

Lyrie.ai Cyber Research Division