New Phishing-as-a-Service Kits Bypass MFA & Target Microsoft 365 Users Globally!
Ddos 
Overview of Tycoon 2FA PhaaS Operation | Image: Trustwave
Since September 2023, Trustwave’s Threat Intelligence Team has been tracking a sophisticated phishing ecosystem operated by Storm-1575, the threat actor group responsible for Dadsec and the emerging Tycoon2FA platforms. These Phishing-as-a-Service (PhaaS) kits are redefining adversary-in-the-middle (AiTM) tactics by bypassing multifactor authentication (MFA) and targeting Microsoft 365 users on a global scale.
“The infrastructure used by Dadsec is also connected to a new campaign leveraging the Tycoon2FA Phishing-as-a-Service platform,” the report states.
Both Tycoon2FA and Dadsec offer criminal affiliates a user-friendly interface, custom phishing templates, and automated credential harvesting features. Trustwave’s analysis highlights the overlapping infrastructure between both platforms:
- Shared use of PHP payloads like res444.php, cllascio.php, and .000.php
- Common URL structure with obfuscated victim email identifiers
- Domains registered under .RU TLDs using open-source hosting tools like CyberPanel
“The repeated use of identical templates across multiple domains suggests a centralized phishing infrastructure,” the report explains.
At the main of Tycoon2FA’s success is its AiTM capability. When victims are tricked into entering their credentials:
“Once the user completes the MFA challenge and authentication is successful, the attacker-controlled server captures session cookies… enabling attackers to bypass MFA, even if the victim later changes their credentials.”
The phishing kit dynamically mimics legitimate Microsoft login portals, sometimes pre-filling user emails for added believability, and silently captures sensitive authentication tokens in real time.
Multi-Stage Phishing: From Email Lure to Data Exfiltration
Stage 1 – Initial Access
Emails contain HTML or PDF attachments luring victims with HR, finance, or security-themed messages. JavaScript embedded in these files dynamically retrieves phishing payloads through obfuscated and Base64-encoded scripts.
Stage 2 – CAPTCHA and Information Harvesting
Users are served a custom Cloudflare Turnstile challenge, used both for anti-bot screening and for gathering:
- IP addresses
- User agents
- Referrer data
Stage 3 – Anti-Analysis and Obfuscation
Advanced scripts detect penetration testing tools and disable web inspection functions, such as right-click menus and keystroke logging attempts.
“This script is designed to execute multiple defense evasion techniques to detect automated analysis tools, restrict manual inspection, and disrupt security research efforts.”
Stage 4 – Credential Theft
If email credentials are available or captured in real time, the phishing site initiates a fully functional auto-login interface or fallback media/document interface, tricking users into thinking they’re accessing real services.
Stage 5 – Enumeration & Exfiltration
The stolen data—including email, password, IP address, and geolocation—is AES-encrypted and transmitted via AJAX requests to the attacker-controlled C2 infrastructure.
“The script is also capable of sending a GET request to ‘geojs’… [returning] details such as country, region, and city.”
Trustwave confirms a rapid spike in Tycoon2FA activity from July 2024 to March 2025, marking it as one of the most active phishing kits currently tracked.
Tycoon2FA and Dadsec reflect a new era in phishing—automated, evasive, and built to scale. By integrating session hijacking and robust evasion mechanisms, Storm-1575 has blurred the lines between social engineering and nation-grade exploitation techniques.
Organizations must enhance their detection pipelines to recognize AiTM phishing, track PHP-based payloads, and monitor for suspicious Cloudflare challenge events. Zero-trust principles and behavior-based analytics are essential to thwart these advanced phishing operations.
Related Posts:
- AiTM Attacks Bypass MFA Despite Widespread Adoption
- SVG Phishing Surge: How Image Files Are Being Weaponized to Steal Credentials
- CAPTCHA to Command: Trustwave Uncovers Stealthy NodeJS Backdoor Campaign
- The Rise of Phishing-as-a-Service: How Cybercriminals are Outsourcing Attacks
- Tycoon 2FA: The Evolving Threat Bypassing Multi-Factor Authentication
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
