New Phishing-as-a-Service Kits Bypass MFA & Target Microsoft 365 Users Globally!

Since September 2023, Trustwave’s Threat Intelligence Team has been tracking a sophisticated phishing ecosystem operated by Storm-1575, the threat actor group responsible for Dadsec and the emerging Tycoon2FA platforms. These Phishing-as-a-Service (PhaaS) kits are redefining adversary-in-the-middle (AiTM) tactics by bypassing multifactor authentication (MFA) and targeting Microsoft 365 users on a global scale.

“The infrastructure used by Dadsec is also connected to a new campaign leveraging the Tycoon2FA Phishing-as-a-Service platform,” the report states.

Both Tycoon2FA and Dadsec offer criminal affiliates a user-friendly interface, custom phishing templates, and automated credential harvesting features. Trustwave’s analysis highlights the overlapping infrastructure between both platforms:

Shared use of PHP payloads like res444.php, cllascio.php, and .000.php
Common URL structure with obfuscated victim email identifiers
Domains registered under .RU TLDs using open-source hosting tools like CyberPanel

“The repeated use of identical templates across multiple domains suggests a centralized phishing infrastructure,” the report explains.

At the main of Tycoon2FA’s success is its AiTM capability. When victims are tricked into entering their credentials:

Source code of Tycoon2FA phishing kit | Image: Trustwave

“Once the user completes the MFA challenge and authentication is successful, the attacker-controlled server captures session cookies… enabling attackers to bypass MFA, even if the victim later changes their credentials.”

The phishing kit dynamically mimics legitimate Microsoft login portals, sometimes pre-filling user emails for added believability, and silently captures sensitive authentication tokens in real time.

Multi-Stage Phishing: From Email Lure to Data Exfiltration

Stage 1 – Initial Access

Emails contain HTML or PDF attachments luring victims with HR, finance, or security-themed messages. JavaScript embedded in these files dynamically retrieves phishing payloads through obfuscated and Base64-encoded scripts.

Stage 2 – CAPTCHA and Information Harvesting

Users are served a custom Cloudflare Turnstile challenge, used both for anti-bot screening and for gathering:

IP addresses
User agents
Referrer data

Stage 3 – Anti-Analysis and Obfuscation

Advanced scripts detect penetration testing tools and disable web inspection functions, such as right-click menus and keystroke logging attempts.

“This script is designed to execute multiple defense evasion techniques to detect automated analysis tools, restrict manual inspection, and disrupt security research efforts.”

Stage 4 – Credential Theft

If email credentials are available or captured in real time, the phishing site initiates a fully functional auto-login interface or fallback media/document interface, tricking users into thinking they’re accessing real services.

Stage 5 – Enumeration & Exfiltration

The stolen data—including email, password, IP address, and geolocation—is AES-encrypted and transmitted via AJAX requests to the attacker-controlled C2 infrastructure.

“The script is also capable of sending a GET request to ‘geojs’… [returning] details such as country, region, and city.”

Trustwave confirms a rapid spike in Tycoon2FA activity from July 2024 to March 2025, marking it as one of the most active phishing kits currently tracked.

Tycoon2FA and Dadsec reflect a new era in phishing—automated, evasive, and built to scale. By integrating session hijacking and robust evasion mechanisms, Storm-1575 has blurred the lines between social engineering and nation-grade exploitation techniques.

Organizations must enhance their detection pipelines to recognize AiTM phishing, track PHP-based payloads, and monitor for suspicious Cloudflare challenge events. Zero-trust principles and behavior-based analytics are essential to thwart these advanced phishing operations.

Rate this post

Related Posts:

Found this helpful?

Leave a Reply Cancel reply