In late 2024 to early 2025, Darktrace identified a series of Software-as-a-Service (SaaS) account compromises related to a phishing campaign exploiting Milanote and the Tycoon 2FA phishing kit. The attackers leveraged legitimate services to enhance the effectiveness of their phishing attempts, making it more challenging for users to discern between bogus and authentic communications. The report details how targeted email tactics and the use of real domain names facilitated these attacks. Affected: SaaS accounts, Milanote users
Keypoints :
- Darktrace’s investigation uncovered a phishing campaign utilizing Milanote and the Tycoon 2FA phishing kit.
- Attackers exploited legitimate email services, making phishing attempts appear credible.
- Phishing emails used social engineering tactics, referencing urgent matters to encourage user interaction.
- Legitimate Milanote emails accompanied the phishing attempt, further blurring authenticity.
- Sophisticated techniques prevented detection by standard security measures.
- User awareness and security tools based on anomaly detection are essential to combat such threats.
MITRE Techniques :
- Initial Access – Phishing: Use of phishing emails to gain access to user accounts.
- CREDENTIAL ACCESS – Steal Web Session Cookie: Attackers captured session cookies after multi-factor authentication.
- PERSISTENCE – Account Manipulation: Creation of new inbox rules to monitor or manipulate email accounts.
- PERSISTENCE – Outlook Rules: Attackers established rules to delete suspicious incoming emails.
- DEFENSE EVASION – Cloud Accounts: Leveraged SaaS environments to compromise accounts without detection.
Indicator of Compromise :
- [IP Address] 89.185.80[.]19 – Associated with malicious login.
- [IP Address] 5.181.3[.]68 – Associated with malicious login.
- [IP Address] 38.242.7[.]252 – Associated with malicious login and email rule creation, linked to Hide My Ass VPN.
- [Hostname] lrn.ialeahed[.]com – Flagged as a domain related to Tycoon 2FA.
Full Story: https://darktrace.com/blog/mfa-under-attack-aitm-phishing-kits-abusing-legitimate-services