'Tycoon' Malware Kit Bypasses Microsoft, Google MFA

Threat actors are widely adopting an emerging adversary-in-the-middle (AitM) phishing kit sold on Telegram to blitz Microsoft 365 and Gmail email accounts with threat campaigns that can bypass multifactor authentication (MFA) protections.

The "Tycoon 2FA" phishing-as-a-service (PhaaS) platform has been active since at least last August but was updated as recently as last month to enhance its obfuscation and anti-detection capabilities, researchers from Sekoia revealed in a blog post published March 26.

"Tycoon 2FA became widespread in the months following its release and is currently massively used in numerous phishing campaigns," Sekoia cyber-threat analyst Quentin Bourgue and researchers from the Threat Detection & Research team wrote in the post. "It mainly aims to harvest Microsoft 365 session cookies to bypass the MFA process during subsequent authentication."

Between October 2023 and late February, the platform racked up more than 1,100 domain names and has widespread distribution by its operator via Telegram using various handles, including Tycoon Group, SaaadFridi, and Mr_XaaD. The kit's operator also regularly publishes changelogs about the latest updates of Tycoon 2FA in a Telegram channel.

“While MFA increases security compared to single-factor authentication, sophisticated attacks involving AitM techniques exemplified by the Tycoon 2FA phishing kit can easily bypass most MFA protections," notes Ted Miracco, CEO of mobile security firm Approov.

Phishing Kit Combines Low Cost & Ease of Use

The threat actor uses the chat platform to sell ready-to-use Microsoft 365 and Gmail phishing pages, as well as attachment templates, at the starting price of $120 for 10 days, with prices increasing depending on the top-level domain (TLD) and typically maxing out at $320. The phishing service also provides several domain name extensions, including .ru, .su, .fr, .com, .net, and .org.

Payments are handled via a Bitcoin wallet controlled by the "Saad Tycoon Group," which the researchers believe is the Tycoon 2FA operator and developer. As of mid-March, the wallet has recorded more than 1,800 transactions, including 1,117 inputs and 1,088 outputs, the researchers said.

The phishing kit relies on the AitM technique and uses an attacker server, or a reverse proxy server, to host the phishing webpage, intercepting victims' inputs and relaying them to the legitimate service, and then prompting the MFA request.

"Once the user completes the MFA challenge, and the authentication is successful, the server in the middle captures session cookies," the researchers wrote. "Stolen cookies allow attackers to replay a session and therefore bypass the MFA, even if credentials have been changed in between."

Worse, the latest version of Tycoon 2FA is gaining traction among threat actors and posing a significant phishing threat, thanks to enhanced stealth capabilities that reduce the detection rate by security products of the kit's phishing pages and infrastructure, the researchers said. "Additionally, its ease of use and its relatively low price make it quite popular among threat actors," they added.

Tycoon's Six-Stage Phishing Attack Sequence

The researchers outlined a six-stage process for how the kit builds a phishing attack, starting with Stage 0, which is the spread of phishing pages that use redirections from URLs and QR codes embedded in email attachments or email bodies.

Stage 1 is a "Cloudflare Turnstile challenge" — used as a replacement for a CAPTCHA challenge — in which users clicking on the phishing URL are redirected to a page embedding such a challenge to prevent unwanted traffic. Stage 2 then executes a JavaScript code in the background that's not visible to the user, to redirect the target to another page.

Stage 3 of the attack is a yet another background redirect that leads the target to another webpage of the phishing domain. From there, Stage 4 offers a fake Microsoft authentication login page via HTML code that embeds a deobfuscation function and obfuscated HTML code.

The MFA aspect that's key to the kit occurs in Stage 5 of the attack vector, in which the JavaScript code interacts with the HTML of the previous stage to build and display the Microsoft MFA page, which prompts the user to authenticate themselves. Finally, Stage 6 redirects the user one last time, in this case to a legitimate URL so the victim doesn’t realize the previous page was malicious.

But MFA Is Secure ... or Is It?

The rising prominence of a phishing kit like Tycoon 2FA demonstrates how threat actors are getting around MFA techniques that security pros recommend for authentication since they are more secure than just passwords, which can be easily cracked. The growing sophistication of threat actors is now putting even 2FA and MFA techniques at risk.

However, some forms of MFA are more resistant to phishing attacks than others, and knowing this, enterprises can aim to protect themselves accordingly, Approov's Miracco says.

"Security keys that implement WebAuthn/FIDO2 standards offer a higher level of protection, as they require the website to prove its identity to the key, which makes it significantly more difficult for attackers to intercept or replicate the MFA process," he says.

To help organizations flag Tycoon 2FA activity, Sekoia has posted a list of indicators of compromise (IoCs) on its GitHub page, including URLs associated with Tycoon 2FA phishing-kit campaigns.