Tycoon 2FA: The Evolving Threat Bypassing Multi-Factor Authentication

The cybersecurity landscape faces a growing threat as Tycoon 2FA, a sophisticated phishing-as-a-service (PhaaS) platform, continues to evolve and evade detection. A new report from Proofpoint highlights how this malicious kit is increasingly targeting Microsoft 365 and Gmail accounts, bypassing multi-factor authentication (MFA) and granting unauthorized access to sensitive systems and data.

How Tycoon 2FA Works

Tycoon 2FA operates by using an adversary-in-the-middle (AitM) approach. Its primary function is to harvest session cookies from Microsoft 365 and Gmail accounts. These cookies are crucial as they allow attackers to bypass MFA during subsequent authentications, granting them unauthorized access to user accounts, systems, and cloud services—even those secured with additional layers of protection.

The attacks typically use a reverse proxy setup on attacker-controlled infrastructure to host phishing webpages. As unsuspecting victims enter their credentials, these are intercepted and relayed to the legitimate service, which in turn prompts MFA requests. The session cookies captured during this process are then sent back to the attackers, who can use them to bypass MFA protections and gain unauthorized access to the accounts.

Recent Upgrades

By March 2024, the developers behind Tycoon 2FA had released an updated version of the phishing kit, which now includes advanced detection evasion capabilities. Significant alterations to the kit’s JavaScript and HTML codes have been made, employing obfuscation techniques to scramble the code and dynamic code generation that changes with each execution. These enhancements help the kit evade signature-based detection systems, making it a more elusive threat.

The PhaaS Model

The Tycoon 2FA kit is marketed on the encrypted messaging service Telegram, where phishing pages for Microsoft 365 and Gmail are sold. Starting at $120 for ten days of access, these phishing pages are made available with options based on different top-level domains (TLDs). This pricing model allows even those with limited technical skills to launch sophisticated phishing attacks, significantly broadening the pool of potential cybercriminals.

Real-World Attacks

Image: Proofpoint

Since December 2023, Proofpoint has observed various phishing landing pages that utilize Tycoon 2FA for MFA token theft and bypass. The lures employed in these attacks are cunningly designed to appear legitimate, including malicious links in emails leading to fake authentication pages, voicemail-themed threats, and attached PDFs containing QR codes that direct users to phishing sites. Themes of these lures often relate to enticing topics such as company bonuses, payroll increases, and false WordPress updates.

What You Can Do

• Be vigilant: Exercise caution with emails and links, especially those related to sensitive topics like finances or account updates.
• Enable Strong MFA: While Tycoon 2FA can bypass some MFA methods, using strong factors like hardware tokens or biometric authentication can provide additional protection.
• Educate Users: Train employees to recognize phishing attempts and the importance of MFA.
• Stay Updated: Keep your security software and systems up to date to ensure you have the latest protections against evolving threats.