eSentire’s Threat Response Unit (TRU) has identified a surge in Tycoon 2FA Phishing-as-a-Service (PhaaS) cases, marking a significant evolution in phishing tactics targeting Microsoft 365 and Gmail accounts. The report discusses sophisticated evasion techniques utilized by Tycoon 2FA, including custom CAPTCHA implementations and credential harvesting methods. Recommendations for organizations and key indicators of compromise are provided to enhance defense against such threats. Affected: Microsoft 365, Gmail, organizations with online accounts
Keypoints :
- eSentire operates 24/7 Security Operations Centers with elite threat hunters.
- Tycoon 2FA PhaaS cases accounted for 40% of user-account compromises in early 2025.
- The phishing kit employs advanced techniques to bypass multi-factor authentication.
- Reports indicate a transition to custom CAPTCHA algorithms to enhance evasion.
- Initial access for victims begins through phishing emails with malicious attachments.
- Phishing kit leverages deceptive source code and anti-debugging measures.
- Victims’ personal data, including credentials, are exfiltrated through automated processes.
- Recommendations include enhanced phishing training and compliance policies for device access.
MITRE Techniques :
- Initial Access (T1071.001): Victims are targeted via phishing emails containing malicious attachments.
- Credential Dumping (T1003): User credentials collected through the Tycoon 2FA phishing kit.
- Exploitation of Remote Services (T1210): Use of phishing sites to harvest credentials through man-in-the-middle techniques.
- User Execution (T1203): Users executing the phishing email attachment leading to malicious redirects.
- Command and Control (T1071.001): Phishing sites used for communication and credential exfiltration.
Indicator of Compromise :
- [URL] hxxps://4DN[.]urymenised[.]com/IAQiJ/@[.]com
- [URL] hxxps://gyp3d[.]gadyks[.]ru/chai@a25vgd9g
- [URL] 4dn[.]urymenised[.]ru/tvTX3SP4cn3680cAhBtRt8y5g9ILRX6FQKJ8im
- [DOMAIN] urymenised[.]ru
- [USER AGENT] Axios/1.X.X
Full Story: https://www.esentire.com/blog/phish-chips-serving-up-tycoon-2fas-secrets