Tycoon Malware Kit Bypasses Microsoft, Google MFA

Threat actors are widely adopting the fast-growing, low-cost phishing-as-a-service (PhaaS) platform, which is sold via Telegram.

Threat actors are widely adopting an emerging adversary-in-the-middle (AitM) phishing kit sold on Telegram to blitz
Microsoft 365
and Gmail email accounts with threat campaigns that can bypass multifactor authentication (MFA) protections.
The Tycoon 2FA phishing-as-a-service (PhaaS) platform has been active since at least last August but was updated as recently as last month to enhance its obfuscation and anti-detection capabilities,
researchers from Sekoia
revealed in a blog post published March 26.
Tycoon 2FA became widespread in the months following its release and is currently massively used in numerous
phishing campaigns
, Sekoia cyber-threat analyst Quentin Bourgue and researchers from the Threat Detection & Research team wrote in the post. It mainly aims to harvest Microsoft 365 session cookies to bypass the MFA process during subsequent authentication.
Between October 2023 and late February, the platform racked up more than 1,100 domain names and has widespread distribution by its operator via Telegram using various handles, including Tycoon Group, SaaadFridi, and Mr_XaaD. The kits operator also regularly publishes changelogs about the latest updates of Tycoon 2FA in a Telegram channel.
“While MFA increases security compared to single-factor authentication, sophisticated attacks involving AitM techniques exemplified by the Tycoon 2FA phishing kit can easily bypass most MFA protections, notes Ted Miracco, CEO of mobile security firm Approov.
The threat actor uses the chat platform

to sell ready-to-use Microsoft 365 and Gmail phishing pages, as well as attachment templates, at the starting price of $120 for 10 days, with prices increasing depending on the top-level domain (TLD) and typically maxing out at $320. The phishing service also provides several domain name extensions, including .ru, .su, .fr, .com, .net, and .org.
Payments are handled via a Bitcoin wallet controlled by the Saad Tycoon Group, which the researchers believe is the Tycoon 2FA operator and developer. As of mid-March, the wallet has recorded more than 1,800 transactions, including 1,117 inputs and 1,088 outputs, the researchers said.
The phishing kit relies on the AitM technique and uses an attacker server, or a reverse proxy server, to host the phishing webpage, intercepting victims inputs and relaying them to the legitimate service, and then prompting the MFA request.
Once the user completes the MFA challenge, and the authentication is successful, the server in the middle captures session cookies, the researchers wrote. Stolen cookies allow attackers to replay a session and therefore bypass the MFA, even if credentials have been changed in between.
Worse, the latest version of Tycoon 2FA is gaining traction among threat actors and posing a significant
phishing threat
, thanks to

enhanced stealth capabilities that

reduce the detection rate by security products of the kits phishing pages and infrastructure, the researchers said. Additionally, its ease of use and its relatively low price make it quite popular among threat actors, they added.
The researchers outlined a six-stage process for how the kit builds a phishing attack, starting with Stage 0, which is the spread of phishing pages that use redirections from URLs and
QR codes
embedded in email attachments or email bodies.
Stage 1 is a Cloudflare Turnstile challenge — used as a replacement for a CAPTCHA challenge — in which users clicking on the phishing URL are redirected to a page embedding such a challenge to prevent unwanted traffic. Stage 2 then executes a JavaScript code in the background thats not visible to the user, to redirect the target to another page.
Stage 3 of the attack is a yet another background redirect that leads the target to another webpage of the phishing domain. From there, Stage 4 offers a fake Microsoft authentication login page via HTML code that embeds a deobfuscation function and obfuscated HTML code.
The MFA aspect thats key to the kit occurs in Stage 5 of the attack vector, in which the JavaScript code interacts with the HTML of the previous stage to build and display the Microsoft MFA page, which prompts the user to authenticate themselves. Finally, Stage 6 redirects the user one last time, in this case to a legitimate URL so the victim doesn’t realize the previous page was malicious.
The rising prominence of a
phishing kit
like Tycoon 2FA demonstrates how threat actors are getting around MFA techniques that security pros recommend for authentication since they are more secure than just passwords, which can be easily cracked. The growing sophistication of threat actors is now putting even 2FA and MFA techniques at risk.
However,

some forms of MFA are more resistant to phishing attacks than others, and knowing this, enterprises can aim to protect themselves accordingly, Approovs Miracco says.
Security keys that implement
WebAuthn/FIDO2 standards
offer a higher level of protection, as they require the website to prove its identity to the key, which makes it significantly more difficult for attackers to intercept or replicate the MFA process, he says.
To help organizations flag Tycoon 2FA activity, Sekoia has posted a list of indicators of compromise (IoCs) on its
GitHub page,
including URLs associated with Tycoon 2FA phishing-kit campaigns.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
Tycoon Malware Kit Bypasses Microsoft, Google MFA