OAuth/OIDC consent & token abuse + QR AiTM escalation

Key Questions

How does Tycoon2FA perform M365 hijacks and bypass MFA?

Tycoon2FA abuses legitimate OAuth device-code flows for stealthy attacks on Microsoft 365. This approach enables MFA bypass without triggering typical phishing detections.

What trends are reported for Microsoft QR code threats?

MS QR threats have increased by 146%, reaching 8.3 billion in Q1. These are escalating in conjunction with AiTM techniques.

Which campaigns are linked to MFA bypass and cookie theft?

EvilTokens, VENOM, Tycoon, and UNC6692 are associated with MFA bypass, cookie theft, and impersonation of Teams and SNOW. They also leverage OAuth/OIDC consent and token abuse.

MS QR +146% (8.3B Q1); Barracuda 70% malicious PDFs/90% AI kits. EvilTokens/VENOM/Tycoon/UNC6692: MFA bypass, cookie theft, Teams/SNOW imp. Tycoon2FA abuses legitimate OAuth device-code flows. New: unauthenticated Azure AD enumeration and novel device-code attack vectors (red-team tested TTPs and defenses).

Sources (2)

Updated May 23, 2026

Financial Spear Phishing Digest

OAuth/OIDC consent & token abuse + QR AiTM escalation

Key Questions

How does Tycoon2FA perform M365 hijacks and bypass MFA?

What trends are reported for Microsoft QR code threats?

Which campaigns are linked to MFA bypass and cookie theft?

Device Code Phishing Is Dead, Long Live New Azure AD Attacks! - Elias Issa

Understanding Multi-Factor Authentication for Enterprises