Typhoon 2FA is a phishing-as-a-service kit that can compromise Microsoft 365 and Google accounts even with 2FA enabled, used to target credential submissions via login pages. An expanded IoC analysis revealed thousands of related domains, subdomains, and IPs forming a broad DNS infrastructure to support Typhoon 2FA campaigns. #Typhoon2FA #PhaaS #phishingkit #Microsoft365 #GoogleAccounts
Keypoints
- Typhoon 2FA is a phishing kit sold as phishing-as-a-service that can bypass 2FA on Microsoft 365 and Google accounts.
- The phishing kit was active by August 2023 and is linked to a growing IoC list (55 domains and 48 subdomains).
- WhoisXML API expanded IoCs to 288 registrant email-connected domains, 110 registrant organization-connected domains, 262 email-connected domains, 21 IP addresses (all malicious), 137 string-connected domains, and 3,223 string-connected subdomains.
- Researchers used bulk Whois, Reverse Whois, WHOIS History API, and DNS lookups to map the Typhoon 2FA infrastructure and connections.
- The DNS infrastructure shows NRDs and DGAs, with most IPs geolocated in the U.S. and many hosted via Cloudflare (with one via Amazon).
MITRE Techniques
- [T1566.001] Phishing: Spearphishing Link β βthe phishing kit β¦ has the ability to compromise Microsoft 365 and Google accounts even if users have two-factor authentication (2FA) enabled.β
- [T1583.001] Acquire Infrastructure β Domains β βwe expanded the current list of IoCsβ and the IoC set includes 55 domains and 48 subdomains, with many NRDs used in campaigns.
Indicators of Compromise
- [Domain] IoCs and related domains β 3tdx2r.com, it2ua.com, lw8opi.com, tlger-surveillance.com, and other IoCs
- [IP Address] β 21 malicious IP addresses β all associated with threats (phishing, malware, C2, etc.)
- [String-connected Domain] β 137 string-connected domains β examples include 7e2r., codecrafters., codecrafterspro., fourth., ilert.
- [String-connected Subdomain] β 3,223 string-connected subdomains β examples include explore., horizon., libudi., rlpq.
- [Registrant Information] β registrant email-connected domains (288 domains) and registrant organization-connected domains (110 domains) linking to various entities
Read more: https://circleid.com/posts/20240509-a-dns-investigation-of-the-typhoon-2fa-phishing-kit