Beware: The New Wave of Phishing Attacks on Microsoft 365 and Gmail Accounts

In the ever-evolving landscape of cyber threats, a new player has emerged, targeting the very core of our digital security. Dubbed ‘Tycoon 2FA’, this phishing-as-a-service (PhaaS) platform is making waves for its ability to sidestep the robust two-factor authentication (2FA) protecting Microsoft 365 and Gmail accounts. Discovered by Sekoia analysts in October 2023, Tycoon 2FA has been active since at least August 2023, when it was first offered through private Telegram channels by the Saad Tycoon group.

This sophisticated PhaaS kit bears similarities to other adversary-in-the-middle (AitM) platforms, such as Dadsec OTT, hinting at possible code reuse or collaboration between developers. In 2024, Tycoon 2FA unveiled a stealthier version, showcasing the developers’ commitment to refining their toolkit. Currently, the service boasts 1,100 domains and has been implicated in thousands of phishing attacks.

The Mechanics of Tycoon 2FA Attacks

The attack process orchestrated by Tycoon 2FA is intricate, involving multiple steps to deceive victims. Initially, attackers distribute malicious links via emails, embedded URLs, or QR codes. Victims are lured into accessing phishing pages, where a security challenge (Cloudflare Turnstile) weeds out bots, allowing only human interactions to proceed. The phishing site then customizes attacks using the victim’s email, stealthily redirecting them to a fake login page designed to steal credentials.

The most alarming aspect of Tycoon 2FA is its ability to intercept the 2FA token or response, effectively bypassing security measures. Once the MFA challenge is completed and authentication is successful, the server in the middle captures session cookies. This allows the attacker to replay a user’s session, gaining unauthorized access.

Evolving Threats and the Scale of Operations

The latest version of the Tycoon 2FA phishing kit has introduced significant modifications to enhance phishing and evasion capabilities. These include updates to JavaScript and HTML code, alterations in the order of resource retrieval, and more sophisticated filtering to block bot and analytical tool traffic. The kit’s operations are substantial, with a broad user base of cybercriminals utilizing it for phishing operations. Since its launch in August 2023, the Bitcoin wallet linked to the operators has recorded over 1,800 transactions, amassing a total of $394,015 worth of cryptocurrency by mid-March 2024.

A Call to Vigilance

Tycoon 2FA is a stark reminder of the persistent and evolving threat of phishing attacks. It underscores the importance of remaining vigilant and adopting advanced security measures, such as passkeys, which Google highlights as offering stronger protection against phishing and other social engineering attacks. As cybercriminals continue to refine their tactics, it’s imperative that individuals and organizations alike stay informed and proactive in safeguarding their digital assets.

In the face of these sophisticated attacks, the digital community must band together, sharing knowledge and resources to combat the ever-present threat posed by cybercriminals. By staying informed and adopting robust security practices, we can hope to stay one step ahead in the ongoing battle for digital security.