Cybersecurity researchers have uncovered a novel phishing campaign distributing the notorious Tycoon 2FA phishing kit through fraudulent timesheet notification emails, marking a concerning evolution in multi-layered credential theft operations.
The operation utilizes Pinterest’s visual bookmarking service as an intermediary redirector, demonstrating attackers’ increasing sophistication in bypassing traditional email security filters.
Campaign Mechanics and Delivery Vector
The campaign begins with professionally crafted emails disguised as automated timesheet reports – a high-impact social engineering tactic given the near-universal use of timesheet systems in corporate environments.
.png
)
These messages utilize urgent language about payroll processing errors or approval deadlines to pressure recipients into clicking embedded “review” buttons.
Unlike traditional phishing links, the malicious URLs first redirect through a Pinterest subdomain (pin.it/7FwOYIHSO) before funneling victims to the final payload hosted on a compromised Russian domain (8a.nextwavxe.ru).
This multi-stage delivery chain serves dual purposes: Pinterest’s reputation as a benign platform helps evade email gateway detection, while the intermediate hop obscures the ultimate malicious destination from both users and security scanners.
SpiderLabs analysts confirm in their X platform that the final payload deploys Tycoon 2FA, a rapidly evolving phishing-as-a-service (PhaaS) kit capable of intercepting both credentials and time-based one-time passwords (TOTPs).
— SpiderLabs (@SpiderLabs) February 17, 2025
Phishing Alert: We’ve spotted fake timesheet report emails leading to the Tycoon 2FA phishing kit—now abusing Pinterest visual bookmarks as intermediaries.
Stay vigilant!
#IoCs:
pin[.]it/7FwOYIHSO⁰8a[.]nextwavxe[.]ru/zz4bnhS7UpYZhbV4xqA/#CyberSecurity #Phishing… pic.twitter.com/B2rfb412cx
Technical Evolution of Tycoon 2FA
Recent iterations of the Tycoon framework incorporate advanced anti-detection features, including:
- Obfuscated JavaScript that morphs payload signatures with each deployment
- Geofencing capabilities blocking access from cybersecurity analyst hotspots
- Adaptive form design mimicking legitimate Microsoft 365/Azure login portals
The kit now supports multi-platform credential harvesting beyond its original Microsoft 365 focus, with templates observed for Salesforce, Workday, and various banking portals.
This expansion suggests operator collaboration with ransomware affiliates seeking privileged network access.
The Pinterest intermediary tactic reflects a broader shift toward abusing legitimate cloud services for attack infrastructure.
Threat actors increasingly leverage platforms with established TLS certificates and clean domain reputations to:
- Bypass secure email gateway (SEG) URL analysis
- Defeat browser-based phishing protections
- Maintain operational flexibility through easily replaceable redirectors
As 2FA adoption increases globally, threat actors continue refining their toolkit techniques.
The Tycoon campaign demonstrates how cybercriminals are investing in infrastructure that blends seamlessly with legitimate corporate workflows, making traditional perimeter defenses insufficient.
Organizations must adopt behavior-based detection systems and implement the principle of least privilege access models to mitigate risks from these evolving credential theft operations.
Investigate Real-World Malicious Links & Phishing Attacks With Threat Intelligence Lookup - Try for Free
