AiTM Phishing Kits Bypass MFA by Hijacking Credentials and Session Tokens

Darktrace’s Security Operations Center (SOC) in late 2024 and early 2025, cybercriminals have been exploiting legitimate Software-as-a-Service (SaaS) platforms like Milanote to orchestrate sophisticated phishing campaigns.

These attacks, bolstered by the Tycoon 2FA phishing kit, demonstrate an advanced Adversary-in-the-Middle (AiTM) approach that circumvents multi-factor authentication (MFA) protections.

Leveraging Legitimate Services for Stealthy Attacks

By abusing trusted services, threat actors send phishing emails that appear benign, leveraging Milanote’s legitimate email infrastructure to bypass traditional security gateways.

Darktrace identified phishing emails sent to multiple internal users across organizations, with subject lines referencing “new agreements” and internal colleagues to incite curiosity without raising immediate suspicion.

These emails, originating from seemingly legitimate addresses like support@milanote[.]com, contained malicious links leading to credential harvesting pages hosted on Milanote itself, blending malicious intent with trusted domains to deceive recipients.

Tycoon 2FA: A Persistent Threat to SaaS Security

The Tycoon 2FA phishing kit, first observed in August 2023 and distributed via Phishing-as-a-Service (PhaaS) models, poses a significant threat to SaaS environments by intercepting credentials and MFA tokens during authentication on counterfeit Microsoft or Google login pages.

Once victims complete MFA, the kit captures session cookies, allowing attackers to replay sessions and access accounts even if credentials are reset.

Darktrace’s analysis revealed that after users interacted with malicious Milanote links, their devices queried Tycoon 2FA-associated domains like lrn.ialeahed[.]com, indicating the kit’s involvement.

Following credential theft, attackers accessed compromised SaaS accounts from rare US-based IP addresses, often masked by VPNs like Hide My Ass, while legitimate users remained active elsewhere, showcasing the stealth of AiTM tactics.

Furthermore, attackers created mailbox rules like “GTH” to delete incoming emails containing “milanote,” concealing their activities and using compromised accounts to propagate further phishing attempts, thus amplifying the campaign’s reach.

Darktrace’s anomaly-based detection played a critical role in identifying these threats, flagging unusual sender behavior, high recipient surges, and rare login locations with an 82% probability of malice for phishing emails.

Within minutes of detecting suspicious logins, Darktrace’s Autonomous Response disabled compromised accounts, while its SOC team collaborated with affected customers to reset passwords, terminate sessions, and remove malicious rules.

This incident underscores a broader Milanote phishing campaign, with similar attacks observed across multiple organizations, featuring consistent tactics like inbox rule creation and multilingual phishing emails in German, Spanish, and Portuguese.

The evolving Tycoon 2FA kit, now equipped with obfuscation techniques to hinder analysis, highlights the growing challenge of detecting AiTM attacks.

As MFA adoption rises, so does the reliance on such kits by cybercriminals, necessitating advanced security tools and heightened user awareness to combat the misuse of legitimate platforms for malicious ends.

Darktrace’s proactive containment and detailed incident correlation by Cyber AI Analyst provided clarity amidst the complexity, emphasizing the need for robust, adaptive defenses against these insidious threats to SaaS security.

Find this News Interesting! Follow us on Google News, LinkedIn, & X to Get Instant Updates!