A new wave of phishing attacks is exploiting fake timesheet report emails to lure victims into the sophisticated Tycoon 2FA phishing kit.
This campaign leverages Pinterest Visual Bookmarks as intermediaries, adding a deceptive layer of legitimacy to its tactics.
Spider labs warn users to stay vigilant as these attacks aim to bypass Multi-Factor Authentication (MFA) and harvest sensitive credentials.
How the Attack Works
Fake Timesheet Notification: According to SpiderLabs’ post on X, the attack begins with an email titled “Timesheet Report,” claiming new information has been added to the recipient’s timesheet. The email includes a “View Timesheet” button, which redirects the user to a Pinterest Visual Bookmark link.
Pinterest Visual Bookmark: The link leads to a page hosted on Pinterest, displaying a Microsoft logo and a “Visit” button. This intermediary step is designed to lower suspicion by leveraging Pinterest’s reputation.
Cloudflare CAPTCHA Challenge: Clicking “Visit” redirects users to a page with a Cloudflare CAPTCHA challenge. This step filters out automated bots and adds another layer of perceived legitimacy.
Fake Microsoft Login Page: After completing the CAPTCHA, users are taken to a fake Microsoft login page. Here, victims are prompted to enter their credentials, which are immediately harvested by the attackers.
Tycoon 2FA Phishing Kit: A Sophisticated Threat
The Tycoon 2FA phishing kit operates as a Phishing-as-a-Service (PhaaS) platform. First identified in August 2023, it has evolved significantly to bypass MFA protections, making it one of the most advanced phishing kits in circulation. The key features include:
Session Cookie Harvesting: Tycoon 2FA intercepts session cookies from Microsoft 365 or Gmail accounts, allowing attackers to bypass MFA even if it’s enabled.
Obfuscated Code: The phishing pages use heavily obfuscated JavaScript and HTML code, making it difficult for security tools and analysts to detect malicious intent.
Anti-Inspection Measures: The kit detects developer tools or penetration-testing scripts and blocks further actions. It also disables right-click menus and overwrites clipboard content to hinder analysis.
Traffic Filtering: The phishing kit employs advanced traffic filtering techniques, such as blocking datacenter IPs, Tor traffic, and specific bot user agents.
Mitigation Strategies
To protect against Tycoon 2FA and similar phishing attacks:
- Always double-check sender details and avoid clicking on links from unsolicited emails.
- Use email filtering solutions that detect phishing attempts based on behavioral patterns and IoCs.
- Conduct regular security awareness training for employees on identifying phishing emails.
- Implement solutions that monitor session cookie usage for anomalies.
- Consider using hardware-based MFA keys or biometric authentication for added security.
The Tycoon 2FA phishing kit represents the growing sophistication of cyber threats in today’s digital landscape.
By exploiting trusted platforms like Pinterest and bypassing MFA protections, attackers are making it harder for traditional defenses to keep up. Organizations must adopt proactive measures and remain vigilant against evolving threats like these.
Investigate Real-World Malicious Links & Phishing Attacks With Threat Intelligence Lookup - Try for Free