A phishing kit called Tycoon2FA has been upgraded with a clever new trick that bypasses the extra security codes Microsoft sends to your phone. Instead of stealing your password, attackers send you a fake email with a link that eventually shows you a “Microsoft” page and asks you to copy a short code into your real Microsoft account. The moment you do, the attackers gain full access to your email, Word documents, and OneDrive files—without ever knowing your password. Microsoft 365 device-code phishing attacks have surged 37 times this year compared to last year.
The scheme works because Microsoft offers a legitimate “device-code” sign-in option designed for devices without a keyboard (like smart TVs). Attackers abuse this to generate a real Microsoft code, embed it in a phishing email, and then wait for you to unknowingly authorise their access. By the time you realise something is wrong, the attackers already have a long-lived login token that lets them read your email and move files.
How to check if you’re affected
Affected products include any Microsoft 365 account—personal Outlook, work email, or school accounts. If you recently approved an unexpected sign-in prompt or copied a code into a Microsoft page after clicking an email link you weren’t expecting, your account may be compromised:
- Go to account.microsoft.com → Sign-in activity and look for logins from unfamiliar countries or devices in the last 7 days.
- If you see anything suspicious, change your Microsoft password immediately and revoke active sessions.
- Contact your IT department or school if the account is managed by your employer or institution.