Detecting Tycoon 2FA AiTM attacks across Entra ID and Google Workspace

MITRE Techniques

• [T1566.002 ] Phishing: Spearphishing Link – Victims receive emails with links or QR codes embedded in PDF, SVG, HTML, or PPTX attachments that lead to the fake login flow. (‘The victim receives a phishing email containing a link or QR code embedded in a PDF, SVG, HTML, or PPTX attachment.’)
• [T1539 ] Steal Web Session Cookie – The AiTM proxy intercepts authenticated session tokens/cookies after MFA is completed. (‘The proxy intercepts this token before it reaches the victim’s browser.’)
• [T1078.004 ] Valid Accounts: Cloud Accounts – Stolen tokens are replayed to access Microsoft 365 and Google Workspace as authenticated users. (‘The attacker now holds a fully authenticated access token.’)
• [T1098.005 ] Account Manipulation: Device Registration – The kit registers a device to establish persistence via device-bound PRT access. (‘DRS creates a device object, assigns a device ID, signs and returns a device certificate.’)
• [T1550.001 ] Use Alternate Authentication Material: Application Access Token – The kit exchanges token material across the Auth Broker/DRS flow to mint new access and refresh tokens. (‘The kit uses this to POST… and returns the PRT plus a session key encrypted (JWE).’)
• [T1087.004 ] Account Discovery: Cloud Account – Post-compromise Graph API calls enumerate user profile, contacts, mailbox settings, and roles. (‘Check what Entra ID roles the compromised identity holds’)
• [T1069.003 ] Permission Groups Discovery: Cloud – The operator enumerates directory roles and membership data to understand privileges. (‘transitiveRoleAssignments, memberOf/directoryRole, roleManagement/directory/roleAssignments’)
• [T1526 ] Cloud Service Discovery – The operator maps tenant licensing, org structure, and app inventory. (‘subscribedSkus, organization, appRoleAssignedResources’)