FlagThis - #trustwave

Trustwave researchers have uncovered a large-scale phishing campaign where the Dadsec hacker group is exploiting the Tycoon2FA infrastructure to steal Office365 credentials. The Dadsec group, also known as Storm-1575, operates a Phishing-as-a-Service (PhaaS) platform and has been leveraging Tycoon2FA to target Microsoft 365 users since at least September 2023. This campaign demonstrates an evolution in phishing tactics, blending advanced evasion techniques with shared infrastructure, indicating a coordinated PhaaS ecosystem.

Recent investigations reveal a technical and operational overlap between Dadsec and Tycoon2FA, suggesting a convergence of methods. These campaigns typically lure victims with fake shared documents or urgent notifications that redirect them to carefully crafted phishing sites mimicking Microsoft's Office365 login page. The attacks employ advanced adversary-in-the-middle (AiTM) techniques, enabling attackers to intercept authentication flows, capture credentials, and bypass multi-factor authentication (MFA) protections by stealing session cookies.

Detailed analysis reveals that domains used in both Dadsec and Tycoon2FA campaigns consistently employ infrastructure traceable to shared Autonomous System Numbers, notably AS19871. These domains, often featuring randomized alphanumeric strings and common top-level domains such as .RU, host custom PHP scripts like "res444.php," "cllascio.php," and ".000.php" integral to payload delivery. The Tycoon2FA kit is believed to be a direct evolution or clone of Dadsec, demonstrating a high degree of technical sophistication, using layered obfuscation and Cloudflare Turnstile integration.


References :

• cyberpress.org: Dadsec Hackers Exploit Tycoon2FA Infrastructure to Harvest Office365 Credentials
• gbhackers.com: Dadsec Hacker Group Uses Tycoon2FA Infrastructure to Steal Office365 Credentials
• SpiderLabs Blog: PhaaS the Secrets: The Hidden Ties Between Tycoon2FA and Dadsec's Operations
• gbhackers.com: Dadsec Hacker Group Uses Tycoon2FA Infrastructure to Steal Office365 Credentials

Classification:

• HashTags: #phishing #credentials #Office365
• Company: Trustwave
• Target: Microsoft 365 Users
• Product: Office365
• Feature: Credential Harvesting
• Malware: Tycoon2FA
• Type: Phishing
• Severity: Medium

The Tycoon2FA Phishing-as-a-Service (PhaaS) platform, notorious for its ability to bypass multi-factor authentication (MFA) on Microsoft 365 and Gmail accounts, has been updated with new techniques designed to evade detection. This phishing kit targets Microsoft 365 users with advanced methods to slip past endpoint and security protections. These updates enhance the kit's stealth capabilities, posing a significant threat to organizations relying on MFA for security.

New evasion techniques have been implemented, including the use of invisible Unicode characters to conceal binary data within JavaScript. This method allows the payload to be decoded and executed during runtime while avoiding static pattern-matching analysis. Tycoon2FA also employs a custom CAPTCHA rendered via HTML5 canvas and anti-debugging scripts to further complicate analysis and delay script execution, making it difficult for security systems to identify and block the phishing attempts.

The Tycoon2FA phishing kit utilizes Adversary-in-the-Middle (AiTM) tactics to intercept communications between users and legitimate services, capturing session cookies to bypass MFA protections. This allows attackers to gain unauthorized access even if credentials are changed, because the captured session cookies circumvent MFA access controls during subsequent authentication attempts. The improvements made to the Tycoon2FA kit highlight the increasing sophistication of phishing campaigns and the importance of implementing advanced security measures to protect against these evolving threats.


References :

• cyberpress.org: Tycoon 2FA Phishing Kit Deploys New Tactics to Bypass Endpoint Detection Systems
• gbhackers.com: Tycoon 2FA Phishing Kit Uses Advanced Evasion Techniques to Bypass Endpoint Detection Systems
• The DefendOps Diaries: Understanding and Mitigating the Tycoon2FA Phishing Threat
• www.bleepingcomputer.com: Tycoon2FA phishing kit targets Microsoft 365 with new tricks
• SpiderLabs Blog: Tycoon2FA New Evasion Technique for 2025
• Cyber Security News: The Tycoon 2FA phishing kit has undergone a significant evolution in its tactics, introducing sophisticated evasion techniques to bypass endpoint detection systems and scrutiny from analysts.
• BleepingComputer: Phishing-as-a-service (PhaaS) platform Tycoon2FA, known for bypassing multi-factor authentication on Microsoft 365 and Gmail accounts, has received updates that improve its stealth and evasion capabilities.
• www.bleepingcomputer.com: Phishing-as-a-service (PhaaS) platform Tycoon2FA, known for bypassing multi-factor authentication on Microsoft 365 and Gmail accounts, has received updates that improve its stealth and evasion capabilities.
• Daily CyberSecurity: A recent report by SentinelLABS sheds light on a sophisticated phishing-as-a-service (PhaaS) operation called Tycoon 2FA, known for targeting Microsoft 365 and Gmail accounts while bypassing multi-factor authentication (MFA).
• securityaffairs.com: SecurityAffairs article on Tycoon2FA phishing kit rolling out significant updates
• www.scworld.com: SCWorld brief on Stealthier Tycoon2FA phishing kit appearing as PhaaS platforms fueling SVG exploitation
• www.scworld.com: Tycoon 2FA phishing kit adds stealth, expands to mobile devices

Classification:

• HashTags: #Tycoon2FA #PhishingAttacks #MFABypass
• Company: Trustwave
• Target: Microsoft 365, Gmail users
• Attacker: Tycoon2FA
• Product: Gmail, Microsoft 365
• Feature: HTML5 canvas
• Malware: Tycoon2FA
• Type: Hack
• Severity: High