Cybercriminals are leveraging a new phishing kit, Tycoon 2FA, to target Microsoft 365 and Gmail accounts, bypassing two-factor authentication (2FA) measures. Discovered by Sekoia analysts in 2023, the platform has seen continuous enhancements, indicating a persistent effort to improve its efficacy. Tycoon 2FA operates through a multi-step process, involving session cookie theft and mimicking 2FA challenges, enabling attackers to deceive victims seamlessly and evade security measures.
The latest version of Tycoon 2FA, released in 2024, boasts significant modifications that enhance its phishing and evasion capabilities. These enhancements include updates to JavaScript and HTML code, as well as more extensive filtering to block bot traffic. Additionally, the platform now delays loading malicious resources until after resolving the Cloudflare Turnstile challenge, further obscuring its activities.
Sekoia reports a substantial scale of operations for Tycoon 2FA, with evidence of broad cybercriminal utilization and a significant number of Bitcoin transactions linked to the operators. The threat actors’ Bitcoin wallet has received substantial amounts of cryptocurrency, indicating the financial success of their phishing endeavors. Tycoon 2FA joins a plethora of PhaaS platforms offering cybercriminals various options to bypass 2FA protections, highlighting the ongoing threat landscape faced by organizations and individuals alike.
For those seeking to defend against Tycoon 2FA and similar threats, Sekoia provides a repository with over 50 indicators of compromise (IoCs), aiding in the detection and mitigation of these phishing operations. This underscores the importance of proactive security measures, including robust email filtering, employee awareness training, and continuous monitoring for suspicious activities. As cybercriminals continue to evolve their tactics, vigilance and adaptation remain crucial in safeguarding against phishing attacks targeting sensitive accounts and data.
