There’s a new player in the cyber threat landscape. Known as “Tycoon 2FA”, this adversary-in-the-middle (AitM) phishing kit is being adopted by threat actors at an alarming rate. Its primary targets? Microsoft 365 and Gmail email accounts. Even more concerning, it’s capable of bypassing multifactor authentication (MFA) protections.
The Rise of Tycoon 2FA
First appearing on the scene in August of last year, Tycoon 2FA has been continually updated to improve its obfuscation and anti-detection capabilities. These updates have made it a popular choice for threat actors, leading to its widespread use in numerous phishing campaigns.
How Does Tycoon 2FA Work?
The main goal of Tycoon 2FA is to harvest Microsoft 365 session cookies. This allows it to bypass the MFA process during subsequent authentication attempts. From October 2023 to late February, the platform registered more than 1,100 domain names and has been widely distributed by its operator via Telegram using various handles, including Tycoon Group, SaaadFridi, and Mr_XaaD.
MFA: Not a Silver Bullet
While MFA does increase security compared to single-factor authentication, sophisticated attacks involving AitM techniques, like those used by Tycoon 2FA, can easily bypass most MFA protections. This is a sobering reminder that even the most robust security measures are not infallible.
Phishing Kit: Low Cost, High Threat
The threat actor uses Telegram to sell ready-to-use Microsoft 365 and Gmail phishing pages, as well as attachment templates. The starting price is just $120 for 10 days, with prices increasing depending on the top-level domain (TLD), typically maxing out at $320. The service also offers several domain name extensions, including .ru, .su, .fr, .com, .net, and .org.
Following the Money
Payments are handled via a Bitcoin wallet controlled by the “Saad Tycoon Group,” believed to be the Tycoon 2FA operator and developer. As of mid-March, the wallet has recorded more than 1,800 transactions.
The AitM Technique
The phishing kit uses an attacker server, or a reverse proxy server, to host the phishing webpage. It intercepts victims’ inputs and relays them to the legitimate service, then prompts the MFA request. Once the user completes the MFA challenge and the authentication is successful, the server captures session cookies. These stolen cookies allow attackers to replay a session and bypass the MFA, even if credentials have been changed in between.
A Growing Threat
The latest version of Tycoon 2FA is gaining traction among threat actors and posing a significant phishing threat. Its enhanced stealth capabilities reduce the detection rate by security products, making it a formidable adversary in the cyber threat landscape.
Tycoon’s Seven-Stage Phishing Attack Sequence
Researchers have dissected the Tycoon 2FA phishing kit, revealing a seven-stage process that it uses to build a phishing attack.
- Spreading the Net – The attack begins with the spread of phishing pages that use redirections from URLs and QR codes embedded in email attachments or email bodies.
- The Cloudflare Turnstile Challenge – Users clicking on the phishing URL are redirected to a page embedding a “Cloudflare Turnstile challenge”. This challenge, used as a replacement for a CAPTCHA challenge, is designed to prevent unwanted traffic.
- The Invisible Redirect – A JavaScript code is executed in the background, invisible to the user, to redirect the target to another page.
- Another Background Redirect – The target is led to another webpage of the phishing domain through yet another background redirect.
- The Fake Login Page – A fake Microsoft authentication login page is offered via HTML code that embeds a deobfuscation function and obfuscated HTML code.
- The MFA Prompt – The JavaScript code interacts with the HTML of the previous stage to build and display the Microsoft MFA page, which prompts the user to authenticate themselves.
- The Final Redirect – The user is redirected one last time, in this case to a legitimate URL, so the victim doesn’t realize the previous page was malicious.
MFA: A Secure Solution?
The rising prominence of a phishing kit like Tycoon 2FA demonstrates how threat actors are circumventing MFA techniques. These techniques are recommended by security professionals for authentication as they are more secure than just passwords, which can be easily cracked. However, the growing sophistication of threat actors is now putting even 2FA and MFA techniques at risk.
Not All MFA Is Created Equal
Some forms of MFA are more resistant to phishing attacks than others. Knowing this, enterprises can aim to protect themselves accordingly. “Security keys that implement WebAuthn/FIDO2 standards offer a higher level of protection, as they require the website to prove its identity to the key, which makes it significantly more difficult for attackers to intercept or replicate the MFA process,” says Ted Miracco, CEO of mobile security firm Approov.
Flagging Tycoon 2FA Activity
To help organizations identify Tycoon 2FA activity, Sekoia has posted a list of indicators of compromise (IoCs) on its GitHub page, including URLs associated with Tycoon 2FA phishing kit campaigns.