Following a coordinated global takedown of Tycoon 2FA infrastructure, operators rapidly pivoted to new authentication sources—notably ProxyLine and several new ASNs—while continuing to use the same underlying phishing kit. TRU observed WebSocket-based real-time credential and 2FA token capture, persistent Application ID and axios user‑agent patterns, and provided IOCs, detection queries, and mitigation recommendations. #Tycoon2FA #ProxyLine
Keypoints
- Operators rapidly adapted post‑takedown by pivoting authentication sources to new ASNs and heavy use of the commercial proxy service ProxyLine to rotate exit IPs globally.
- Source‑code analysis found no substantive changes to the Tycoon 2FA phishing kit: identical AES encryption key/IV, anti‑debugging, and domain validation logic remained unchanged.
- Gmail‑targeted campaigns implemented WebSocket‑based communication enabling real‑time credential harvesting and immediate 2FA token capture and relay.
- Evasion techniques include geolocation and ASN checks via ipinfo.io, api.ipapi.is, and get.geojs.io to redirect security vendors/known cloud providers to legitimate sites (e.g., Carrefour, Kajabi) and hide phishing content.
- Consistent authentication telemetry remains a reliable detection surface: persistent Application ID (OfficeHome) and axios user‑agent patterns are observable despite infrastructure pivoting.
- TRU provided detection artifacts (KQL query), IOCs, and recommended defenses: PSAT, 24/7 MDR with response capabilities, device compliance policies, limiting mailbox rule permissions, and proactive threat hunting for unusual ASNs/user agents.
MITRE Techniques
- [T1566 ] Phishing – Use of phishing pages and phishing-as-a-service to harvest credentials and bypass MFA (‘Tycoon 2FA is a sophisticated PhaaS kit that enables phishing operators targeting Microsoft 365 and Gmail accounts to bypass 2FA and capture session cookies’)
- [T1078 ] Valid Accounts – Use of stolen session cookies and captured credentials for unauthorized access (‘capture session cookies for full unauthorized access’)
- [T1090 ] Proxy – Use of commercial proxy infrastructure (ProxyLine) and IP rotation to evade IP/geo‑based detection (‘ProxyLine … offers IP rotation across more than 100 countries’)
- [T1041 ] Exfiltration Over C2 Channel – Real‑time credential and 2FA token capture and relay using WebSocket communication (‘WebSocket-based communication for real-time credential and 2FA token capture’)
- [T1573 ] Encrypted Channel – Use of symmetric encryption for credential transmission (AES key/IV preserved in kit) to protect data in transit (‘same AES encryption using CryptoJS library, identical encryption key (1234567890123456) and IV’)
Indicators of Compromise
- [Application ID ] authentication identifier observed in malicious sign-ins – 4765445b-32c6-49b0-83e6-1d93765276ca
- [User Agent ] sign‑in fingerprint used by the phishing kit – axios/1.13.6, axios/1.9.0, and other axios/* versions
- [ASN ] authentication source infrastructure observed in Entra ID telemetry – AS9009 (M247 Europe SRL), AS214238 (HOST TELECOM LTD), and other ASNs (AS62240, AS204957, AS395092, AS215540, AS29802)
- [Domain ] external services and phishing infrastructure – proxyline[.]net, ipinfo[.]io, and other domains used for geolocation/blocking (api.ipapi[.]is, get.geojs[.]io, kajabi[.]com)