CyberSecurity news
FlagThis
@www.trustwave.com
//
Trustwave researchers have uncovered a large-scale phishing campaign where the Dadsec hacker group is exploiting the Tycoon2FA infrastructure to steal Office365 credentials. The Dadsec group, also known as Storm-1575, operates a Phishing-as-a-Service (PhaaS) platform and has been leveraging Tycoon2FA to target Microsoft 365 users since at least September 2023. This campaign demonstrates an evolution in phishing tactics, blending advanced evasion techniques with shared infrastructure, indicating a coordinated PhaaS ecosystem.
Recent investigations reveal a technical and operational overlap between Dadsec and Tycoon2FA, suggesting a convergence of methods. These campaigns typically lure victims with fake shared documents or urgent notifications that redirect them to carefully crafted phishing sites mimicking Microsoft's Office365 login page. The attacks employ advanced adversary-in-the-middle (AiTM) techniques, enabling attackers to intercept authentication flows, capture credentials, and bypass multi-factor authentication (MFA) protections by stealing session cookies.
Detailed analysis reveals that domains used in both Dadsec and Tycoon2FA campaigns consistently employ infrastructure traceable to shared Autonomous System Numbers, notably AS19871. These domains, often featuring randomized alphanumeric strings and common top-level domains such as .RU, host custom PHP scripts like "res444.php," "cllascio.php," and ".000.php" integral to payload delivery. The Tycoon2FA kit is believed to be a direct evolution or clone of Dadsec, demonstrating a high degree of technical sophistication, using layered obfuscation and Cloudflare Turnstile integration.
ImgSrc: www.trustwave.c
References :
Recent investigations reveal a technical and operational overlap between Dadsec and Tycoon2FA, suggesting a convergence of methods. These campaigns typically lure victims with fake shared documents or urgent notifications that redirect them to carefully crafted phishing sites mimicking Microsoft's Office365 login page. The attacks employ advanced adversary-in-the-middle (AiTM) techniques, enabling attackers to intercept authentication flows, capture credentials, and bypass multi-factor authentication (MFA) protections by stealing session cookies.
Detailed analysis reveals that domains used in both Dadsec and Tycoon2FA campaigns consistently employ infrastructure traceable to shared Autonomous System Numbers, notably AS19871. These domains, often featuring randomized alphanumeric strings and common top-level domains such as .RU, host custom PHP scripts like "res444.php," "cllascio.php," and ".000.php" integral to payload delivery. The Tycoon2FA kit is believed to be a direct evolution or clone of Dadsec, demonstrating a high degree of technical sophistication, using layered obfuscation and Cloudflare Turnstile integration.
ImgSrc: www.trustwave.c
Share:
References :
- cyberpress.org: Dadsec Hackers Exploit Tycoon2FA Infrastructure to Harvest Office365 Credentials
- gbhackers.com: Dadsec Hacker Group Uses Tycoon2FA Infrastructure to Steal Office365 Credentials
- SpiderLabs Blog: PhaaS the Secrets: The Hidden Ties Between Tycoon2FA and Dadsec's Operations
- gbhackers.com: Dadsec Hacker Group Uses Tycoon2FA Infrastructure to Steal Office365 Credentials
Classification:
- HashTags: #phishing #credentials #Office365
- Company: Trustwave
- Target: Microsoft 365 Users
- Product: Office365
- Feature: Credential Harvesting
- Malware: Tycoon2FA
- Type: Phishing
- Severity: Medium