Sunday, May 19, 2024

Tycoon 2FA Attacking Microsoft 365 AND Google Users To Bypass MFA

Tycoon 2FA, a recently emerged Phishing-as-a-Service (PhaaS) platform, targets Microsoft 365 and Gmail accounts, which leverage an Adversary-in-the-Middle (AitM) technique to steal user session cookies, bypassing multi-factor authentication (MFA) protections. 

By acting as an intermediary between the user and the legitimate login page, Tycoon 2FA captures cookies that grant attackers unauthorized access to compromised accounts and cloud services, even if additional security measures are implemented. 

The Tycoon 2FA phishing kit received an update in March 2024, specifically designed to bypass security defenses, and the update enhanced the kit’s evasion capabilities through obfuscated JavaScript and HTML code, making the code unreadable, hindering analysis.

Free Webinar on Live API Attack Simulation: Book Your Seat | Start protecting your APIs from hackers

Additionally, the update incorporated dynamic code generation, meaning the code rewrites itself upon each execution, which allows the kit to avoid detection by signature-based security systems. 

Tycoon 2FA to facilitate MFA token theft and bypass. 

On Telegram, it sells pre-made phishing pages targeting Microsoft 365 and Gmail credentials, which lowers the technical barrier for attackers by offering easy-to-use templates. 

Proofpoint TAP Dashboard campaign snapshot from December campaigns. 

The attack works through a reverse proxy, capturing login credentials and relaying them to the real service to bypass the login page, as the attackers steal the session cookies returned during successful logins, granting unauthorized access even with MFA enabled. 

It facilitates credential theft by bypassing multi-factor authentication (MFA), and attackers use various lures such as emails with fake authentication links, voicemail-themed threats, and PDFs with QR codes leading to phishing pages. 

QR code and voicemail lure examples for the Tycoon 2FA threats that were seen in late 2023. 

The pages often include CAPTCHAs to appear legitimate and steal login credentials and MFA tokens. Security researchers at Proofpoint identified rules to detect Tycoon landing pages based on these tactics. 

AI-powered behavioral analytics and a URL sandbox are used to identify and block malicious landing pages and phishing activity associated with Tycoon 2FA and similar threats that are achieved by combining threat intelligence with machine learning to recognize suspicious behaviors. 

Global threat intelligence feeds give information about bad infrastructure, which helps defenders stop known and new threats before they happen by making it easier to find them, fix problems, and manage human risk when it comes to new phishing techniques.

On-Demand Webinar to Secure the Top 3 SME Attack Vectors: Watch for Free

Website

Latest articles

Hackers Exploiting Docusign With Phishing Attack To Steal Credentials

Hackers prefer phishing as it exploits human vulnerabilities rather than technical flaws which make...

Norway Recommends Replacing SSLVPN/WebVPN to Stop Cyber Attacks

A very important message from the Norwegian National Cyber Security Centre (NCSC) says that...

New Linux Backdoor Attacking Linux Users Via Installation Packages

Linux is widely used in numerous servers, cloud infrastructure, and Internet of Things devices,...

ViperSoftX Malware Uses Deep Learning Model To Execute Commands

ViperSoftX malware, known for stealing cryptocurrency information, now leverages Tesseract, an open-source OCR engine,...

Santander Data Breach: Hackers Accessed Company Database

Santander has confirmed that there was a major data breach that affected its workers...

U.S. Govt Announces Rewards up to $5 Million for North Korean IT Workers

The U.S. government has offered a prize of up to $5 million for information...

Russian APT Hackers Attacking Critical Infrastructure

Russia leverages a mix of state-backed Advanced Persistent Threat (APT) groups and financially motivated...
Eswar
Eswar
Eswar is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.

Free Webinar

Live API Attack Simulation

94% of organizations experience security problems in production APIs, and one in five suffers a data breach. As a result, cyber-attacks on APIs increased from 35% in 2022 to 46% in 2023, and this trend continues to rise.
Key takeaways include:

  • An exploit of OWASP API Top 10 vulnerability
  • A brute force ATO (Account Takeover) attack on API
  • A DDoS attack on an API
  • Positive security model automation to prevent API attacks

Related Articles