FlagThis

The Tycoon2FA Phishing-as-a-Service (PhaaS) platform, notorious for its ability to bypass multi-factor authentication (MFA) on Microsoft 365 and Gmail accounts, has been updated with new techniques designed to evade detection. This phishing kit targets Microsoft 365 users with advanced methods to slip past endpoint and security protections. These updates enhance the kit's stealth capabilities, posing a significant threat to organizations relying on MFA for security.

New evasion techniques have been implemented, including the use of invisible Unicode characters to conceal binary data within JavaScript. This method allows the payload to be decoded and executed during runtime while avoiding static pattern-matching analysis. Tycoon2FA also employs a custom CAPTCHA rendered via HTML5 canvas and anti-debugging scripts to further complicate analysis and delay script execution, making it difficult for security systems to identify and block the phishing attempts.

The Tycoon2FA phishing kit utilizes Adversary-in-the-Middle (AiTM) tactics to intercept communications between users and legitimate services, capturing session cookies to bypass MFA protections. This allows attackers to gain unauthorized access even if credentials are changed, because the captured session cookies circumvent MFA access controls during subsequent authentication attempts. The improvements made to the Tycoon2FA kit highlight the increasing sophistication of phishing campaigns and the importance of implementing advanced security measures to protect against these evolving threats.

ImgSrc: www.bleepstatic

References :

• cyberpress.org: Tycoon 2FA Phishing Kit Deploys New Tactics to Bypass Endpoint Detection Systems
• gbhackers.com: Tycoon 2FA Phishing Kit Uses Advanced Evasion Techniques to Bypass Endpoint Detection Systems
• The DefendOps Diaries: Understanding and Mitigating the Tycoon2FA Phishing Threat
• www.bleepingcomputer.com: Tycoon2FA phishing kit targets Microsoft 365 with new tricks
• SpiderLabs Blog: Tycoon2FA New Evasion Technique for 2025
• Cyber Security News: The Tycoon 2FA phishing kit has undergone a significant evolution in its tactics, introducing sophisticated evasion techniques to bypass endpoint detection systems and scrutiny from analysts.
• BleepingComputer: Phishing-as-a-service (PhaaS) platform Tycoon2FA, known for bypassing multi-factor authentication on Microsoft 365 and Gmail accounts, has received updates that improve its stealth and evasion capabilities.
• www.bleepingcomputer.com: Phishing-as-a-service (PhaaS) platform Tycoon2FA, known for bypassing multi-factor authentication on Microsoft 365 and Gmail accounts, has received updates that improve its stealth and evasion capabilities.
• Daily CyberSecurity: A recent report by SentinelLABS sheds light on a sophisticated phishing-as-a-service (PhaaS) operation called Tycoon 2FA, known for targeting Microsoft 365 and Gmail accounts while bypassing multi-factor authentication (MFA).
• securityaffairs.com: SecurityAffairs article on Tycoon2FA phishing kit rolling out significant updates
• www.scworld.com: SCWorld brief on Stealthier Tycoon2FA phishing kit appearing as PhaaS platforms fueling SVG exploitation
• www.scworld.com: Tycoon 2FA phishing kit adds stealth, expands to mobile devices

Classification:

• HashTags: #Tycoon2FA #PhishingAttacks #MFABypass
• Company: Trustwave
• Target: Microsoft 365, Gmail users
• Attacker: Tycoon2FA
• Product: Gmail, Microsoft 365
• Feature: HTML5 canvas
• Malware: Tycoon2FA
• Type: Hack
• Severity: High