Threat: Tycoon2FA

Google Workspace Device Registration After OAuth from Suspicious ASN

May 18, 2026 · Domain: Cloud Data Source: Google Workspace Use Case: Threat Detection Tactic: Persistence Tactic: Initial Access Threat: Tycoon2FA Resources: Investigation Guide ·

Share on:

Detects when a Google Workspace account completes OAuth authorization for a specific Google OAuth client from a high-risk autonomous system number (ASN), followed within 30 seconds by a device registration event with account state REGISTERED. This sequence can indicate device enrollment or join flows initiated from attacker-controlled or residential-proxy infrastructure after a user authorizes a sensitive client.

Entra ID OAuth Device Code Phishing via AiTM

May 18, 2026 · Domain: Cloud Domain: Identity Data Source: Azure Data Source: Microsoft Entra ID Data Source: Microsoft Entra ID Sign-in Logs Use Case: Threat Detection Threat: Tycoon2FA Tactic: Initial Access Resources: Investigation Guide ·

Share on:

Detects successful Microsoft Entra ID sign-ins that use the OAuth device code authentication protocol with the Microsoft Authentication Broker client requesting first-party Office API resources (Exchange Online, Microsoft Graph, or SharePoint) while flagged as interactive. This pattern is associated with adversary-in-the-middle (AiTM) phishing kits such as Tycoon 2FA, where victims complete device code flows that ultimately broker tokens for mail and collaboration APIs.

Entra ID Potential AiTM Sign-In via OfficeHome (Tycoon2FA)

May 18, 2026 · Domain: Cloud Domain: Identity Data Source: Azure Data Source: Microsoft Entra ID Data Source: Microsoft Entra ID Sign-in Logs Use Case: Threat Detection Threat: Tycoon2FA Tactic: Initial Access Tactic: Credential Access Resources: Investigation Guide ·

Share on:

Detects Microsoft Entra ID sign-ins consistent with Tycoon2FA phishing-as-a-service (PhaaS) adversary-in-the-middle (AiTM) activity: the Microsoft Authentication Broker requesting tokens for Microsoft Graph or Exchange Online, or the Office web client application authenticating to itself, combined with Node.js-style user agents (node, axios, undici). Tycoon 2FA bypasses MFA by relaying authentication and capturing session material, often targeting Microsoft 365 and Gmail. Baseline legitimate automation and developer tooling before tuning.

M365 Potential AiTM UserLoggedIn via Office App (Tycoon2FA)

May 18, 2026 · Domain: Cloud Domain: Identity Domain: SaaS Data Source: Microsoft 365 Data Source: Microsoft 365 Audit Logs Use Case: Threat Detection Threat: Tycoon2FA Tactic: Initial Access Tactic: Credential Access Resources: Investigation Guide ·

Share on:

Detects Microsoft 365 audit "UserLoggedIn" events consistent with Tycoon 2FA phishing-as-a-service (PhaaS) adversary-in-the-middle (AiTM) activity: the Microsoft Authentication Broker requesting access where the object identifier matches Microsoft Graph or Exchange Online, or the Office web client application authenticating to itself, combined with Node.js-style user agents (node, axios, undici). Tycoon 2FA bypasses MFA by relaying authentication and capturing session material, often targeting Microsoft 365 and Gmail. Baseline legitimate automation and developer tooling before tuning.