Full Report
Phishing-as-a-Service (PhaaS) provides attackers with advanced toolsets and templates that enable them to quickly deploy phishing campaigns.
Analysis Summary
# Tool/Technique: Tycoon 2FA (PhaaS Platform)
## Overview
Tycoon 2FA is an advanced iteration of the Phishing-as-a-Service (PhaaS) platform known as Tycoon. It provides sophisticated toolsets and templates that enable threat actors to rapidly deploy highly evasive phishing campaigns, specifically targeting the circumvention of Microsoft 365 Multifactor Authentication (MFA) by intercepting and utilizing session cookies.
## Technical Details
- Type: Tool / Phishing Kit
- Platform: Web/Browser (Delivering phishing pages targeting Microsoft 365 users)
- Capabilities: Bypassing 2FA via session cookie interception, advanced techniques to obstruct automated analysis and manual inspection.
- First Seen: The base Tycoon platform has been in use since August 2023. The Tycoon 2FA variant was first seen in November 2024.
## MITRE ATT&CK Mapping
- TA0001 - Initial Access
- T1566 - Phishing
- T1566.001 - Spearphishing Attachment (Applicable to delivery via email)
- TA0011 - Command and Control
- T1071 - Application Layer Protocol
- T1071.001 - Web Protocols (Used to host and serve the phishing page)
- TA0005 - Defense Evasion
- T1027 - Obfuscated Files or Information (Code obfuscation observed)
- T1564.001 - Hide Artifacts: Hidden Files and Directories (General hiding mechanisms)
- T1498.003 - External Remote Services: Impersonation (Impersonating legitimate services via fake login pages)
## Functionality
### Core Capabilities
- **2FA Bypass:** Intercepting and utilizing Microsoft 365 session cookies to gain unauthorized access past two-factor authentication.
- **Legitimate Identity Usage:** Sending phishing emails from legitimate, potentially compromised email accounts to enhance trust and initial delivery success.
- **Fake Login Pages:** Presenting convincing fake Microsoft login pages to victims.
### Advanced Features
- **Obstructive Source Code:** Employing specially crafted source code to skip standard calls to external resources, actively obstructing automated web page analysis.
- **Automated Tool Detection:** Implementing checks to detect and block automated security scripts and penetration-testing tools (e.g., Burp Suite). Redirection to a blank page upon detection.
- **Keystroke Monitoring:** Listening for specific key combinations (shortcuts) commonly used by security analysts for web inspection (e.g., developer tools). Triggers delays or site redirection upon detection.
- **Developer Tool Detection:** If developer tools remain open beyond a certain operational delay threshold, the page redirects the user to a legitimate external site (e.g., `https://www.onedrive.com`).
- **Context Menu Disabling:** Disabling the right-click context menu to prevent users from inspecting, saving source code, or gathering insight into the page structure.
- **Clipboard Manipulation:** Overwriting clipboard content when a user attempts to copy text, preventing data extraction for offline analysis.
- **Code Obfuscation:** Using obfuscation techniques to make the underlying web page code harder to read and reverse engineer.
## Indicators of Compromise
- File Hashes: [Not specified in the text]
- File Names: [Not specified in the text]
- Registry Keys: [Not specified in the text]
- Network Indicators: [Not specified in the text, as the primary focus is on the tool's client-side evasion]
- Behavioral Indicators:
- Redirection to `hxxps://www[.]onedrive[.]com` upon developer tool detection.
- Attempting to execute JavaScript designed to block common developer tool shortcuts (e.g., F12).
- Attempts to prevent right-click actions on the phishing page.
- Overwriting clipboard contents upon copy actions.
## Associated Threat Actors
- Threat actors utilizing Phishing-as-a-Service (PhaaS) platforms. (Specific named groups were not provided in the context, only the utilization metric: ~30% of credential attacks in 2024 used PhaaS).
## Detection Methods
- Signature-based detection: Detecting known obstructive script patterns specific to Tycoon 2FA.
- Behavioral detection: Monitoring for process behaviors indicative of anti-analysis measures (e.g., capturing interaction with developer consoles, clipboard manipulation attempts).
- YARA rules if available: [No specific YARA rules were provided]
## Mitigation Strategies
- Prevention measures: Implementing advanced email filtering solutions capable of deep content inspection and sandbox analysis that can resist basic anti-analysis scripts.
- Hardening recommendations: Educating users on social engineering tactics, especially those appearing to come from legitimate senders. Training analysts/developers on recognizing aggressive script-based countermeasures. Continuous monitoring for session cookie interception attempts on M365 infrastructure.
## Related Tools/Techniques
- Phishing-as-a-Service (PhaaS) platforms (General category).
- Tycoon (Earlier iteration of the phishing kit).
- General web-based evasion techniques (e.g., debugger detection, right-click disabling).