“`html
The Tycoon 2FA phishing toolkit has arisen as one of the most advanced Phishing-as-a-Service platforms since its launch in August 2023, specifically crafted to bypass two-factor and multi-factor authentication safeguards on Microsoft 365 and Gmail accounts.
This sophisticated threat employs an Adversary-in-the-Middle methodology, leveraging reverse proxy servers to host convincing phishing websites that flawlessly imitate legitimate login interfaces while capturing user credentials and session cookies in real-time.
As per the Any.run malware trends tracker, Tycoon 2FA stands out with over 64,000 documented incidents this year, establishing it as one of the most widespread phishing dangers in the current environment.
The attack disseminates via various distribution channels, including harmful PDF documents, SVG files, PowerPoint presentations, and emails containing phishing links.
Malicious actors have also utilized cloud storage services such as Amazon S3 buckets, Canva, and Dropbox to host counterfeit login pages, complicating detection for conventional security measures.
What renders this campaign especially perilous is its capability to siphon authentication codes even when two-factor authentication is activated, effectively nullifying this security precaution against the elaborate interception tactics employed by the toolkit.
Cybereason analysts discovered that the phishing toolkit incorporates numerous pre-redirection verifications as defensive mechanisms against detection, such as domain validation, CAPTCHA challenges, detection of bots and scanning tools, alongside debugger checks that actively identify security researchers scrutinizing the code.
These verifications guarantee that only genuine victims land on the final phishing page while automated security software and analysts are sent to innocuous websites.
The toolkit also exhibits a profound comprehension of organizational security protocols by scrutinizing error messages from login attempts, enabling criminals to customize their campaigns for optimal impact.
The technical complexity extends to utilizing boilerplate templates that dynamically craft fake login pages based on actual responses from Microsoft servers, providing a seamless experience that encourages users to input their MFA codes, which are subsequently transmitted to legitimate servers in real-time, effectively circumventing this crucial security layer.
Multi-Stage JavaScript Execution and Credential Gathering
The attack unfolds through an intricate multi-stage JavaScript execution sequence tailored to avoid detection while gathering credentials.
.webp)
The initial HTML page comprises a JavaScript file with a base64-encoded payload compressed using the LZ-string algorithm, which decompresses and executes the concealed payload in memory.
The subsequent stage adopts a method known as DOM Vanishing Act, wherein malevolent JavaScript code removes itself from the Document Object Model post-execution, leaving no apparent trace for security instruments analyzing the page code.
The script encompasses three distinct base64-encoded payloads, each formulated to execute under specific conditions.
The first payload employs XOR cipher obfuscation and operates solely when window.location.pathname.split includes an exclamation mark or dollar sign, verifying that the user arrived via the intended harmful link rather than through automated scanning.
.webp)
The email extraction method formulates a custom string by appending “WQ” to the victim’s email address prior to exfiltrating it to the command-and-control server via POST request to /zcYbH5gqRHbzSQXiK8YtTbhpNSGtkZc6xbMyRBGazbWU8fjfq, where the server replies with AES-encrypted payloads decoded using the CryptoJS library.
When victims submit credentials on the counterfeit login page, the attacker acting as a mediator instantly receives the information and relays it to legitimate Microsoft servers.
The victim’s webpage is subsequently updated dynamically based on server replies utilizing web parts, rendering the phishing endeavor to appear seamless and extremely persuasive.
The concluding JavaScript payload gathers browser details including navigator.userAgent and dispatches requests to geolocation services, encrypting the collected data with a hardcoded key prior to transmission to the attacker’s endpoint at /tdwsch3h8IoKcUOkog9d14CkjDcaR0ZrKSA95UaVbbMPZdxe, effectively completing the credential theft process.
“`