Friday, May 23, 2025
HomeCyber Security NewsFake Timesheet Report Emails Linked to Tycoon 2FA Phishing Kit

Fake Timesheet Report Emails Linked to Tycoon 2FA Phishing Kit

Published on

SIEM as a Service

Follow Us on Google News

Cybersecurity researchers have uncovered a novel phishing campaign distributing the notorious Tycoon 2FA phishing kit through fraudulent timesheet notification emails, marking a concerning evolution in multi-layered credential theft operations. 

The operation utilizes Pinterest’s visual bookmarking service as an intermediary redirector, demonstrating attackers’ increasing sophistication in bypassing traditional email security filters.

Campaign Mechanics and Delivery Vector

The campaign begins with professionally crafted emails disguised as automated timesheet reports – a high-impact social engineering tactic given the near-universal use of timesheet systems in corporate environments.

- Advertisement - Google News

These messages utilize urgent language about payroll processing errors or approval deadlines to pressure recipients into clicking embedded “review” buttons.

Unlike traditional phishing links, the malicious URLs first redirect through a Pinterest subdomain (pin.it/7FwOYIHSO) before funneling victims to the final payload hosted on a compromised Russian domain (8a.nextwavxe.ru).

This multi-stage delivery chain serves dual purposes: Pinterest’s reputation as a benign platform helps evade email gateway detection, while the intermediate hop obscures the ultimate malicious destination from both users and security scanners.

SpiderLabs analysts confirm in their X platform that the final payload deploys Tycoon 2FA, a rapidly evolving phishing-as-a-service (PhaaS) kit capable of intercepting both credentials and time-based one-time passwords (TOTPs).

Technical Evolution of Tycoon 2FA

Recent iterations of the Tycoon framework incorporate advanced anti-detection features, including:

  • Obfuscated JavaScript that morphs payload signatures with each deployment
  • Geofencing capabilities blocking access from cybersecurity analyst hotspots
  • Adaptive form design mimicking legitimate Microsoft 365/Azure login portals

The kit now supports multi-platform credential harvesting beyond its original Microsoft 365 focus, with templates observed for Salesforce, Workday, and various banking portals.

This expansion suggests operator collaboration with ransomware affiliates seeking privileged network access.

The Pinterest intermediary tactic reflects a broader shift toward abusing legitimate cloud services for attack infrastructure.

Threat actors increasingly leverage platforms with established TLS certificates and clean domain reputations to:

  1. Bypass secure email gateway (SEG) URL analysis
  2. Defeat browser-based phishing protections
  3. Maintain operational flexibility through easily replaceable redirectors

As 2FA adoption increases globally, threat actors continue refining their toolkit techniques.

The Tycoon campaign demonstrates how cybercriminals are investing in infrastructure that blends seamlessly with legitimate corporate workflows, making traditional perimeter defenses insufficient.

Organizations must adopt behavior-based detection systems and implement the principle of least privilege access models to mitigate risks from these evolving credential theft operations.

Investigate Real-World Malicious Links & Phishing Attacks With Threat Intelligence Lookup - Try for Free

Divya
Divya
Divya is a Senior Journalist at GBhackers covering Cyber Attacks, Threats, Breaches, Vulnerabilities and other happenings in the cyber world.

Latest articles

CefSharp Enumeration Tool Identifies Critical Security Issues in .NET Desktop Applications

Cybersecurity researchers and red teamers, a newly released tool named CefEnum is shedding light...

Russian Hackers Exploit Oracle Cloud Infrastructure to Target Scaleway Object Storage

Russian threat actors have been leveraging trusted cloud infrastructure platforms like Oracle Cloud Infrastructure...

Critical Vulnerability in Netwrix Password Manager Enables Authenticated Remote Code Execution

A critical security vulnerability has been discovered in Netwrix Password Secure, a widely used...

Cityworks Zero-Day Vulnerability Used by UAT-638 Hackers to Infect IIS Servers with Shell Malware

Cisco Talos has uncovered active exploitation of a zero-day remote-code-execution vulnerability, identified as CVE-2025-0994,...

Resilience at Scale

Why Application Security is Non-Negotiable

The resilience of your digital infrastructure directly impacts your ability to scale. And yet, application security remains a critical weak link for most organizations.

Application Security is no longer just a defensive play—it’s the cornerstone of cyber resilience and sustainable growth. In this webinar, Karthik Krishnamoorthy (CTO of Indusface) and Phani Deepak Akella (VP of Marketing – Indusface), will share how AI-powered application security can help organizations build resilience by

Discussion points


Protecting at internet scale using AI and behavioral-based DDoS & bot mitigation.
Autonomously discovering external assets and remediating vulnerabilities within 72 hours, enabling secure, confident scaling.
Ensuring 100% application availability through platforms architected for failure resilience.
Eliminating silos with real-time correlation between attack surface and active threats for rapid, accurate mitigation

More like this

CefSharp Enumeration Tool Identifies Critical Security Issues in .NET Desktop Applications

Cybersecurity researchers and red teamers, a newly released tool named CefEnum is shedding light...

Russian Hackers Exploit Oracle Cloud Infrastructure to Target Scaleway Object Storage

Russian threat actors have been leveraging trusted cloud infrastructure platforms like Oracle Cloud Infrastructure...

Critical Vulnerability in Netwrix Password Manager Enables Authenticated Remote Code Execution

A critical security vulnerability has been discovered in Netwrix Password Secure, a widely used...