If your company is using Microsoft products, you are at risk of falling victim to a Tycoon 2FA phishing attack. The adoption of this phishing kit in attacks is steadily increasing with new campaigns emerging almost every week. Let’s learn more about how it works and see analysis of actual examples of Tycoon 2FA attacks.
What is Tycoon 2FA?
Tycoon 2FA is a type of phishing kit, a pre-packaged set of tools and templates designed to simplify the deployment of phishing attacks. It operates as a Phishing-as-a-Service (PhaaS) platform, making it accessible to a wide range of cybercriminals.
The target of each Tycoon attack is the session cookie, a digital token that represents the user’s authenticated session. By stealing it, the attacker can bypass Multi-Factor Authentication (MFA) for subsequent login attempts, as the cookie proves the user has already been authenticated.
By providing an easy-to-use interface and powerful capabilities, Tycoon 2FA has become a go-to choice for many malicious actors looking to compromise user accounts protected by MFA.
How Tycoon 2FA Works
The core functionality of Tycoon 2FA revolves around its “adversary-in-the-middle” (AitM) technique. This means it intercepts the communication between the user and the legitimate service, positioning itself as a man-in-the-middle to capture sensitive information.
Let’s take a closer look at how a typical attack unfolds.
Phishing Email
The initial stage of a Tycoon 2FA attack is a carefully crafted phishing email.
These emails are designed to look like legitimate communications from trusted sources. In fact, as observed by researchers at ANY.RUN, attackers often abuse legitimate services such as Amazon Simple Email Service to send their lures.
Above you can see a sandbox analysis session featuring a Tycoon 2FA initial email, posing as a message from Docusign, a popular service for signing documents electronically.
Inside, the user is met with a link leading to the next stage of the attack.
Try Advanced Malware and Phishing Analysis With 14-day free trial of ANY.RUN
Chain of Redirects
Once a user clicks the malicious link, they are typically redirected through multiple pages before reaching the final phishing website.
This layering of redirects serves several purposes:
- Masking the true destination of the malicious link.
- Filtering out bots, avoiding detection by automated solutions, and increasing the likelihood of human interaction.
- Collecting additional user information, such as device details or IP address.
Tycoon 2FA attacks often feature a CAPTCHA challenge as one of the means of avoiding detection.
Thanks to ANY.RUN sandbox’s interactivity, we can manually solve the challenge to move on to the next part of the attack.
It is important to note that during the redirections stage, the threat also attempts to detect hosting-based traffic coming from a sandbox or other security solutions. It does this via the service like httpbin[.]org by checking the target’s IP.
In case Tycoon 2FA detects hosting traffic, it redirects the user to a legitimate page.
To bypass this anti-analysis mechanism, we can simply enable Residential Proxy feature in ANY.RUN.
Final Phishing Page
One of the key features of Tycoon 2FA is convincing phishing pages mimicking those of Microsoft.
Pages are designed to look and feel exactly like the real login page, making it difficult for users to distinguish between the fake and the genuine.
To make it appear even more believable, the threat uses legitimate services like mailmeteor[.]com to change the background and logo of the login page to fit the victim’s organization (See example).
Instead of simply stealing credentials, this phishing kit actively relays the captured information to the legitimate Microsoft service.
If the credentials and 2FA code are correct, Microsoft generates and returns a valid session cookie.
Tycoon 2FA intercepts the session cookie, allowing the attackers to control the victim’s account.
Tracking Tycoon 2FA Campaigns
Apart from analyzing emails and phishing pages relating to Tycoon 2FA attacks, you can also keep track of new and ongoing campaigns using Threat Intelligence Lookup.
The service provides you with access to a searchable 2TB database of continuously updated threat data, extracted from public ANY.RUN sandbox sessions.
Here is an example of a query that includes the name of the threat, and a domain used by the attackers in many Tycoon 2FA campaigns to redirect users to phishing pages.
The service returns 86 domains, 7 IPs, and 85 viewable ANY.RUN sandbox sessions relating to the latest samples of Tycoon 2FA phishing attacks.
Try ANY.RUN Sandbox and Threat Intelligence Lookup
See how ANY.RUN’s interactive sandbox and TI Lookup can strengthen your organization’s capabilities to analyze and investigate emerging malware and phishing threats.
Request a 14-day free trial for your entire team to test everything the services have to offer.