Featured image

Tycoon 2FA Phishing Kit Bypasses MFA

What Happened?

According to an MSP security expertresearchers from the SOC platform vendor Sekoia, and other public reports, cyber criminals are using a new version of “Tycoon 2FA,” a Phishing-as-a-Service kit to bypass Multi-Factor Authentication (MFA) and successfully compromise Microsoft 365 and Gmail accounts.

​​​​While the cyber criminals behind this phishing kit, known as “Saad Tycoon, Tycoon Group, SaaadFridi, and Mr_Xaad” have sold their tools over platforms like Telegram since approximately August 2023, the group and its PaaS offering have re-emerged after they published a new version of the kit in February 2024, which adds new anti-detection capabilities to the package, which offers several phishing pages, attachments, and an administration panel for cyber criminals to use.

Key Takeaways

Threat actors using the Tycoon 2FA phishing kit launch a seven-stage Attacker-in-the-Middle (AITM) attack against their targets. First, the attackers will distribute phishing emails with malicious URLs or QR codes, which lead to phishing pages. The Tycoon kit uses a security challenge from Cloudflare to filter out potential bots.

Next, the URL uses background scripts to identify a victim’s email and customize a fake login and page with their organization’s branding. Once the user inputs their email and credentials, they’re sent to a fake 2FA challenge, which allows them to exfiltrate an authenticated cookie and gain complete access to the target’s account. When the user “completes their login,” they are redirected to either a legitimate Microsoft error/redirection page or a false WeTransfer page.

For a complete view of the attack chain, you can view Sekoia’s overview graphic below:  

A diagram of a computer network

Description automatically generated

Why This Matters to MSPs

Attacker-in-the-middle attacks and an exponential rise in threat actors, powered by Malware-as-a-Service software like the Tycoon 2FA phishing kit, pose a major risk to MSPs that cannot be ignored. 

These attacks and investigations have revealed how sophisticated cyber criminals have become, and how low the entry barrier has become for budding threat actors. Even unskilled actors can set up convincingly accurate login and 2FA phishing pages.

Next Steps

CyberQP’s security experts recommend that concerned MSPs and end users take the following actions to mitigate their risk:

– Use the full Indicators of Compromise list from Sekoia’s report to detect signs that threat actors are using the Tycoon 2FA phishing kit to target your technicians or end users. 
– Deploy protection from tools like CIPP, which offers Clarion, a feature that injects a warning that a user is on a fake Microsoft login page.
– Work with your SOC/Managed XDR provider to ensure that your MSP is secured against the Tycoon 2FA phishing kit. 

Thank you for reading MSP Incident Insights. Please keep an eye out for our next newsletter on Tuesday, where we’ll be doing an overview of LockBit ransomware’s re-emergence and critical Fortinet vulnerabilities.