Tycoon 2FA, a recently emerged Phishing-as-a-Service (PhaaS) platform, is targeting Microsoft 365 and Gmail accounts using an Adversary-in-the-Middle (AitM) technique. This method involves intercepting user session cookies to bypass multi-factor authentication (MFA), thus granting attackers unauthorized access to compromised accounts and cloud services. By acting as an intermediary between the user and the legitimate login page, Tycoon 2FA captures session cookies, effectively undermining even robust security measures.
The phishing kit received a significant update in March 2024, enhancing its evasion capabilities. This update introduced obfuscated JavaScript and HTML code, making the phishing kit harder to analyze and detect. Additionally, dynamic code generation was incorporated, allowing the code to rewrite itself upon each execution. This sophisticated evasion technique helps the phishing kit avoid detection by signature-based security systems, increasing its effectiveness against potential targets.
Tycoon 2FA facilitates the theft of MFA tokens by selling pre-made phishing pages targeting Microsoft 365 and Gmail credentials on platforms like Telegram. This lowers the technical barrier for attackers, providing them with easy-to-use templates. The attack works through a reverse proxy, capturing login credentials and relaying them to the real service. By stealing session cookies during successful logins, attackers gain unauthorized access even with MFA enabled. Various lures, such as emails with fake authentication links, voicemail-themed threats, and PDFs with QR codes leading to phishing pages, are used to trick victims.
To counteract these threats, security researchers at Proofpoint have developed rules to detect Tycoon landing pages based on these tactics. AI-powered behavioral analytics and URL sandboxes are employed to identify and block malicious landing pages and phishing activities associated with Tycoon 2FA. By combining threat intelligence with machine learning, defenders can recognize suspicious behaviors and stop known and new threats before they can cause harm. Organizations must stay vigilant and update their security measures to protect against these sophisticated phishing attacks.
Reference:
