Threat Research

Inside Tycoon2FA: How a leading AiTM phishing kit operated at scale

Microsoft
Inside Tycoon2FA: How a leading AiTM phishing kit operated at scale

Tycoon2FA is a phishing-as-a-service platform that provides a web-based admin panel, prebuilt templates, redirect/routing logic, and attachment generation to enable scalable adversary-in-the-middle (AiTM) attacks that capture credentials and session cookies. Microsoft Defender analysis details Tycoon2FA’s evolving short-lived domain infrastructure, extensive defense-evasion (custom CAPTCHAs, obfuscated JavaScript, complex redirects), exfiltration via Telegram bots, and recommended mitigations like phishing-resistant MFA and Defender/Exchange protections. #Tycoon2FA #MicrosoftDefender

Keypoints

  • Tycoon2FA is sold as an easy-to-use phishing platform (PhaaS) with a centralized admin panel offering templates, attachment builders, redirect configuration, and victim tracking for AiTM campaigns.
  • Operators deploy varied lures (PDF/DOCX with QR codes, SVG redirects, HTML attachments, and spoofed links) impersonating services like Microsoft 365, Outlook, SharePoint, OneDrive, and Google.
  • Infrastructure shifted to fast-rotating, short-lived FQDNs across diverse inexpensive gTLDs (.space, .email, .today, etc.) and Cloudflare hosting, complicating reputation- and blocklist-based detection.
  • Evasion techniques include custom CAPTCHAs, heavily obfuscated/randomized JavaScript/HTML, browser fingerprinting, geofencing, automation detection, decoy redirects, and layered encoding to defeat analysis and static signatures.
  • Tycoon2FA relays credentials to real services to trigger MFA, captures session cookies/tokens (exfiltrated via Telegram), and enables attackers to access and persist in compromised accounts (inbox rules, authenticator registration).
  • Microsoft Defender guidance recommends phishing-resistant authentication (FIDO2, Windows Hello, passkeys), Exchange/Microsoft Defender configuration (Safe Links/Attachments, ZAP), Defender XDR/Cloud Apps detection, and rapid remediation steps for compromised identities.

MITRE Techniques

  • [T1566.001 ] Spearphishing Attachment – Use of malicious attachments to deliver phishing lures (‘PDF or DOC/DOCX attachments with QR codes’).
  • [T1566.002 ] Spearphishing Link – Use of redirect links in email that impersonate trusted services to lure users (‘Redirect links that appear to come from trusted services’).
  • [T1566 ] Phishing – General phishing-based initial access using templates that impersonate business applications and compromised threads (‘Email lures were crafted from ready-made templates that impersonated trusted business applications like Microsoft 365, Azure, Okta, OneDrive, Docusign, and SharePoint’).
  • [T1557 ] Adversary-in-the-Middle – AiTM relay intercepts credentials and MFA flows to capture session tokens and enable account takeover (‘Tycoon2FA’s success stemmed from closely mimicking legitimate authentication processes while covertly intercepting both user credentials and session tokens’).
  • [T1539 ] Steal Web Session Cookie – Capture and reuse of session cookies to gain real-time access after MFA completes (‘Once the user completed MFA, the attacker captured the session cookie and gained real-time access’).
  • [T1027 ] Obfuscated Files or Information – Heavily obfuscated and randomized JavaScript/HTML and layered encodings used to evade signature-based detection (‘These pages were created with heavily obfuscated and randomized JavaScript and HTML, designed to evade signature-based detection’).
  • [T1041 ] Exfiltration Over Command and Control Channel – Exfiltration of captured credentials and session information via Telegram bots (‘Captured session information … are exfiltrated through Telegram bot’).
  • [T1078 ] Valid Accounts – Use of stolen credentials and session tokens to sign in and persist (create inbox rules, register authenticators) in victim accounts (‘Attackers could then access sensitive data and establish persistence by modifying mailbox rules, registering new authenticator apps, or launching follow-on phishing campaigns’).

Indicators of Compromise

  • [Domain/FQDN ] Tycoon2FA campaign landing pages and short‑lived domains – immutable.nathacha[.]digital, mock.zuyistoo[.]today, and 8 more FQDNs (examples include astro.thorousha[.]ru, branch.cricomai[.]sa[.]com, mysql.vecedoo[.]online).
  • [Subdomain patterns ] Readable campaign subdomains used to reduce suspicion – examples: immutable.nathacha[.]digital, mock.zuyistoo[.]today (subdomains often include words like cloud, desktop, application, survey, python, terminal).
  • [Attachment types ] Malicious delivery artifacts observed in email lures – PDF/DOCX files with QR codes, SVG files containing embedded redirect logic, and HTML attachments.
  • [Hosting/Platform endpoints ] Intermediary and hosting services used in redirect chains – Cloudflare-hosted FQDNs, Azure Blob Storage, Firebase, Wix, TikTok, Google resources (used as intermediate redirect points).
  • [Exfiltration channel ] Real-time data exfiltration mechanism – Telegram bots used to forward captured credentials and session information (exfiltrated session data shown in panel screenshots).
  • [TLD indicators ] Diverse inexpensive gTLD usage for domain rotation – .space, .email, .solutions, .live, .today, .calendar, and second-level patterns like .sa[.]com, .in[.]net, .com[.]de.

Read more: https://www.microsoft.com/en-us/security/blog/2026/03/04/inside-tycoon2fa-how-a-leading-aitm-phishing-kit-operated-at-scale/