Cybersecurity researchers at Sekoia ApS’ Threat Detection & Research team are warning of a new phishing kit linked to the adversary-in-the-middle technique that is being utilized by multiple threat actors to conduct effective attacks.

Called “Tycoon 2FA,” the phishing kit has been active since at least August 2023 and is claimed to now be one the most prevalent AiTM phishing kits, with over 1,100 domain names detected between October 2023 and February 2024.

Tycoon 2FA operates in various stages to carry out its malicious activities. The kit starts by attempting to trick victims into visiting a page featuring a Cloudflare security challenge to prevent unwanted traffic. Users then encounter a fake Microsoft authentication page where their credentials are harvested. The phishing kit then relays this information to the legitimate Microsoft authentication API, intercepting session cookies to bypass multifactor authentication.

The phishing kit is also evolving, with updates to Tycoon 2FA in February said to have enhanced its capabilities by reorganizing resource retrieval, expanding traffic filtering and refining stealth tactics to evade analysis. Notable changes include modifications in JavaScript and HTML codes, consolidation of JavaScript downloads into different stages for handling 2FA implementation and data transmission, and an adaptation to avoid detection by identifying and bypassing various traffic patterns.

The researchers at Sekoia warn that the Tycoon 2FA phishing kit poses a significant threat to the cybersecurity landscape due to its sophisticated techniques and potential connections with other known phishing platforms. “We expect the Tycoon 2FA PhaaS to remain a prominent threat within the AiTM phishing market in 2024,” the researchers add.

Max Gannon, cyber intelligence analysis manager at phishing detection and response solutions company Cofense Inc., told SiliconANGLE that “these multifactor authentication bypass kits are undoubtedly effective, which has likely led to some people claiming it is a failure on the part of the MFA. However, MFA prevents someone with stolen credentials from accessing resources without authorization.”

“When victims fall prey to these MFA bypass phishing attacks, they effectively log themselves in and authorize the access that MFA simply can’t protect against,” Gannon explains. “These kits essentially reset the phishing arms race to where we were before the advent of MFA, where the key factor to preventing account compromise is the person being phished.”

Erich Kron, security awareness advocate at security awareness training company KnowBe4 Inc., commented that the attack method “demonstrates why it is important to educate people on how to spot and report email phishing attacks, even if they have 2FA enabled. Many people mistakenly believe that if they have 2FA enabled on an account, then the account cannot be compromised. Unfortunately, that is far from the truth. Even with modern technical security controls in place, it’s more important than ever to educate people about tactics such as this so they have a much better chance of defending themselves and their organizations.”

Image: Tycoon 2FA/Sekoia