Summary
- Barracuda observed attacks using genuine Microsoft login flows, Tycoon 2FA, device-code phishing, split-click buttons, and malware delivery.
- The techniques target session tokens, OAuth permissions, calendar invites, PDFs, browser-generated pages, and short-lived infrastructure.
- Identity compromise now requires monitoring beyond passwords, email-body links, and user training alone.
Barracuda says recent email threats are moving beyond conventional credential theft, with campaigns targeting session tokens, OAuth permissions, device-code workflows, calendar invites, PDF attachments, split-click links, and malware delivery.
The company’s June 2026 Email Threat Radar describes several techniques observed by its researchers. One campaign used a genuine Microsoft login page rather than a spoofed page, routing the interaction through the Tycoon 2FA phishing-as-a-service platform to capture session tokens and access permissions. Victims received a mailbox warning and a calendar invite linked to the login flow, followed by a second fake page designed to steal the password.
Barracuda also describes PDF-based device-code phishing, where suspicious links are removed from the email body and placed inside attachments. In the campaign observed, the email referred to compliance or payment issues, while the PDF link led to a fake device authentication flow. The phishing pages used CAPTCHA to frustrate automated analysis and self-expiring infrastructure to limit post-incident investigation.
A separate Sneaky 2FA campaign used a split-click button. The top half opened a legitimate Microsoft page, while the bottom half triggered a malicious redirect through a blob URL to a phishing page. Barracuda says the technique can evade automated link analysis by showing testing tools the safe outcome.
The report also notes a shift from credential capture towards malware delivery in some phishing campaigns. Barracuda describes malicious JavaScript disguised as a PDF, steganographic techniques, fileless malware execution, and multi-step Microsoft impersonation flows using fake OneDrive and Excel login pages.
Email security can no longer be measured only by whether a user recognises a fake login page. Attackers are abusing genuine identity infrastructure, legitimate-looking OAuth flows, calendar features, attachments, browser-generated pages, and short-lived hosting. Detection has to extend beyond the message body and into identity telemetry, session behaviour, attachment inspection, endpoint execution, and rapid revocation of stolen tokens.
Microsoft 365 environments are particularly exposed to this pattern because email, files, identity, calendars, and collaboration tools are tightly connected. A stolen session token or OAuth grant can provide access without the attacker repeatedly using the victim’s password. If refresh tokens or delegated permissions are captured, persistence can remain after a password reset unless sessions are revoked and malicious applications are removed.
Controls need to focus on identity and behaviour. Phishing-resistant MFA, conditional access, suspicious OAuth consent monitoring, session revocation, device-code restrictions, attachment detonation, and endpoint controls all have a role. Training remains useful, but it cannot carry attacks that use real domains, legitimate workflows, and interaction tricks designed to fool scanners as well as users.
Email, identity, endpoint, and cloud investigations often examine different parts of the same attack. Campaigns that move from calendar invites to Microsoft login flows, PDFs, browser blobs, and in-memory payloads require joined-up telemetry and response authority. Password resets alone are no longer enough to contain identity-led phishing.





