Illustration of a phishing attack bypassing two-factor authentication to target Microsoft 365.

Cybersecurity

Phishing kit bypasses Microsoft 365 2FA

TL;DR: A phishing kit named Tycoon2FA has been updated to bypass two-factor authentication on Microsoft 365 accounts. It uses a technique called device-code phishing and abuses legitimate click-tracking URLs to evade detection, posing a significant threat for organizations using Microsoft's cloud services.

By Neeraj DhimanBleepingComputer20h ago1 min readupdated 10h ago

Source

Key facts

Category: Cybersecurity
Impact: Low
Published: 20h ago
Source: BleepingComputer

Full summary

A sophisticated phishing kit is now using a new method to bypass two-factor authentication and hijack Microsoft 365 accounts.

A phishing kit known as Tycoon2FA has been updated with a new technique to hijack Microsoft 365 accounts, even those protected by two-factor authentication. The kit now employs a method called device-code phishing, which tricks users into granting an attacker access to their account. The attack begins with a phishing email containing a QR code or a link. When a user interacts with it, they are prompted to authenticate. This process generates a device code that the user is then tricked into entering on a legitimate Microsoft login page, inadvertently authorizing the attacker's device and giving them access to the account's session token. To evade detection, the operation also abuses the click-tracking URLs of a legitimate email security company, redirecting victims through multiple layers before reaching the final malicious page.

This development is significant because it effectively bypasses a security measure that many organizations consider a primary defense against account takeovers. By circumventing multi-factor authentication, the Tycoon2FA kit poses a serious threat to any business using the Microsoft 365 ecosystem. The attack is designed to steal session cookies, which can give attackers persistent access to an account, allowing them to read emails, access sensitive files, and potentially launch further attacks within the organization. The sophisticated, multi-stage nature of the attack, combined with its use of legitimate services for obfuscation, makes it particularly difficult for both users and automated security systems to detect.

Why it matters

This phishing kit bypasses multi-factor authentication, a critical security layer for many businesses, making it a significant threat to organizations using Microsoft 365 for daily operations.

Business impact

A successful attack can lead to account takeovers, data breaches, financial loss, and further infiltration of corporate networks. It undermines trust in standard security measures like 2FA.

⚡ Action needed

Security teams should review their defenses against device-code phishing and educate users on this emerging threat vector targeting Microsoft 365 accounts.

Action checklist

1Educate users to be suspicious of unexpected login prompts, especially those involving device codes or QR codes.
2Review Microsoft 365 and Azure AD sign-in logs for unusual device authentications or locations.
3Implement conditional access policies to restrict or monitor sign-ins from unmanaged or non-compliant devices.
4Consider deploying phishing-resistant MFA, such as FIDO2 security keys, for high-privilege accounts.
5Ensure email security gateways are configured to detect and block sophisticated phishing attempts.