Tycoon 2FA

Author: Infinit3i

Start Date:

Most Recent Activity:

Executive Summary

Tycoon 2FA is an Adversary-in-the-Middle (AiTM) phishing kit sold as phishing-as-a-service (PhaaS). It targets Microsoft 365 and Gmail by proxying legitimate login flows to intercept credentials and authenticated session cookies, enabling multi-factor authentication bypass without the need to exploit software vulnerabilities. The kit has reportedly been advertised on Telegram for prices as low as $120.

---

Overview

Description

Type: Phishing Kit / AiTM / PhaaS

Delivery:
Email lures containing links or QR codes that direct victims to branded phishing landing pages, often fronted with CAPTCHA or traffic-filtering stages

Capabilities:
Credential theft, MFA challenge interception, session cookie harvesting, operator dashboard management, reverse-proxy phishing, token replay support

Notable Characteristics:
Uses reverse-proxy login pages to relay live authentication sessions, captures credentials and session tokens, and commonly relies on rotating domains, CAPTCHA gates, and obfuscation or link-gating to reduce detection.

---

Attack Flow

Flow

Loading Screen → CAPTCHA (.ru website address) → Email Login → Password → Session Cookie Theft

• Victim is lured through email or QR-code based phishing content
• User is directed to a landing page that may include a loading screen or CAPTCHA gate
• Victim is proxied to a fake but convincing email login page
• Credentials and MFA interactions are relayed through the attacker-controlled reverse proxy
• Session cookies are harvested and later replayed to bypass MFA protections

---

MITRE ATT&CK Techniques

MITRE ATT&CK

• T1566.002 – Spearphishing Link
• T1204.001 – User Execution - Malicious Link
• T1557 – Adversary-in-the-Middle
• T1550.004 – Use of Web Session Cookie
• T1078 – Valid Accounts
• T1583.001 – Acquire Infrastructure - Domains

---

Mitigations

Mitigations

• Phishing-resistant MFA: Enforce FIDO2 or WebAuthn and phase out SMS, voice, and one-time passcode methods where feasible
• Conditional Access and Token Hardening: Require device compliance, location, ASN, and risk-based checks; reduce token lifetimes; use continuous access evaluation; revoke refresh tokens on suspicion
• OAuth Governance: Disable user consent by default, require admin approval for new applications, and monitor for newly granted consents
• Email and Domain Controls: Enforce DMARC, DKIM, and SPF; block newly registered and look-alike domains; inspect QR-code attachments and embedded links
• User Awareness: Train users to recognize AiTM phishing signs while assuming clicks will still occur, and prioritize post-authentication detection and rapid token revocation

---

Detections

Detection Rules

Rule	View	Download
YARA	N/A	N/A

---

Research & References

References

• https://www.darktrace.com/blog/mfa-under-attack-aitm-phishing-kits-abusing-legitimate-services/
• https://blog.barracuda.com/2025/01/22/threat-spotlight-tycoon-2fa-phishing-kit/
• https://any.run/malware-trends/tycoon/
• https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog-phaas-the-secrets-the-hidden-ties-between-tycoon2fa-and-dadsecs-operations/
• https://blogs.blackberry.com/en/2020/06/threat-spotlight-tycoon-ransomware-targets-education-and-software-sectors/
• https://blog.sekoia.io/tycoon-2fa-an-in-depth-analysis-of-the-latest-version-of-the-aitm-phishing-kit/
• https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/tycoon2fa-new-evasion-technique-for-2025/
• https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/breakdown-of-tycoon-phishing-as-a-service-system/
• https://any.run/cybersecurity-blog/tycoon2fa-evasion-analysis/
• https://www.esentire.com/blog/phish-chips-serving-up-tycoon-2fas-secrets/
• https://github.com/eSentire/iocs/tree/main/Tycoon2FA
• https://pastebin.com/dguFhccj/
• https://github.com/NoMorePhish/Tycoon2FADomains/blob/main/MaliciousDomains/