Monday, March 10, 2025
Homecyber securityTycoon 2FA Attacking Microsoft 365 AND Google Users To Bypass MFA

Tycoon 2FA Attacking Microsoft 365 AND Google Users To Bypass MFA

Published on

SIEM as a Service

Follow Us on Google News

Tycoon 2FA, a recently emerged Phishing-as-a-Service (PhaaS) platform, targets Microsoft 365 and Gmail accounts, which leverage an Adversary-in-the-Middle (AitM) technique to steal user session cookies, bypassing multi-factor authentication (MFA) protections. 

By acting as an intermediary between the user and the legitimate login page, Tycoon 2FA captures cookies that grant attackers unauthorized access to compromised accounts and cloud services, even if additional security measures are implemented. 

The Tycoon 2FA phishing kit received an update in March 2024, specifically designed to bypass security defenses, and the update enhanced the kit’s evasion capabilities through obfuscated JavaScript and HTML code, making the code unreadable, hindering analysis.

Free Webinar on Live API Attack Simulation: Book Your Seat | Start protecting your APIs from hackers

Additionally, the update incorporated dynamic code generation, meaning the code rewrites itself upon each execution, which allows the kit to avoid detection by signature-based security systems. 

Tycoon 2FA to facilitate MFA token theft and bypass. 

On Telegram, it sells pre-made phishing pages targeting Microsoft 365 and Gmail credentials, which lowers the technical barrier for attackers by offering easy-to-use templates. 

Proofpoint TAP Dashboard campaign snapshot from December campaigns. 

The attack works through a reverse proxy, capturing login credentials and relaying them to the real service to bypass the login page, as the attackers steal the session cookies returned during successful logins, granting unauthorized access even with MFA enabled. 

It facilitates credential theft by bypassing multi-factor authentication (MFA), and attackers use various lures such as emails with fake authentication links, voicemail-themed threats, and PDFs with QR codes leading to phishing pages. 

QR code and voicemail lure examples for the Tycoon 2FA threats that were seen in late 2023. 

The pages often include CAPTCHAs to appear legitimate and steal login credentials and MFA tokens. Security researchers at Proofpoint identified rules to detect Tycoon landing pages based on these tactics. 

AI-powered behavioral analytics and a URL sandbox are used to identify and block malicious landing pages and phishing activity associated with Tycoon 2FA and similar threats that are achieved by combining threat intelligence with machine learning to recognize suspicious behaviors. 

Global threat intelligence feeds give information about bad infrastructure, which helps defenders stop known and new threats before they happen by making it easier to find them, fix problems, and manage human risk when it comes to new phishing techniques.

On-Demand Webinar to Secure the Top 3 SME Attack Vectors: Watch for Free

Eswar
Eswar
Eswar is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.

Latest articles

Critical Microsoft’s Time Travel Debugging Tool Vulnerability Let Attackers Mask Detection

Microsoft’s Time Travel Debugging (TTD) framework, a powerful tool for recording and replaying Windows...

ServiceNow Acquires Moveworks for $2.85 Billion to Boost AI Capabilities

In a landmark move to strengthen its position in the rapidly evolving artificial intelligence...

Apple iOS 18.4 Beta 3 Released – What’s New!

Apple released iOS 18.4 Beta 3 on March 10, 2025, for developers, with a...

Researcher Hacks Embedded Devices to Uncover Firmware Secrets

In a recent exploration of embedded device hacking, a researcher demonstrated how to extract...

Supply Chain Attack Prevention

Free Webinar - Supply Chain Attack Prevention

Recent attacks like Polyfill[.]io show how compromised third-party components become backdoors for hackers. PCI DSS 4.0’s Requirement 6.4.3 mandates stricter browser script controls, while Requirement 12.8 focuses on securing third-party providers.

Join Vivekanand Gopalan (VP of Products – Indusface) and Phani Deepak Akella (VP of Marketing – Indusface) as they break down these compliance requirements and share strategies to protect your applications from supply chain attacks.

Discussion points

Meeting PCI DSS 4.0 mandates.
Blocking malicious components and unauthorized JavaScript execution.
PIdentifying attack surfaces from third-party dependencies.
Preventing man-in-the-browser attacks with proactive monitoring.

More like this

Researcher Hacks Embedded Devices to Uncover Firmware Secrets

In a recent exploration of embedded device hacking, a researcher demonstrated how to extract...

North Korean Hackers Use ZIP Files to Deploy Malicious PowerShell Scripts

North Korean state-sponsored hackers, known as APT37 or ScarCruft, have been employing sophisticated tactics...

Ragnar Loader Used by Multiple Ransomware Groups to Bypass Detection

Ragnar Loader, a sophisticated toolkit associated with the Ragnar Locker ransomware group, has been...