Full Report
Threat researchers analyzed the updated Tycoon 2FA phishing kit, which bypasses MFA
Analysis Summary
# Tool/Technique: Tycoon 2FA Phishing Kit
## Overview
Tycoon 2FA is an evolved phishing kit, categorized under Phishing-as-a-Service (PhaaS), designed to steal credentials, specifically targeting Microsoft 365 session cookies to bypass Multi-Factor Authentication (MFA/2FA). The latest version incorporates advanced evasion and detection-bypassing techniques.
## Technical Details
- Type: Phishing Kit / Tool (PhaaS related)
- Platform: Web-based (targets web application authentication, specifically Microsoft 365)
- Capabilities: 2FA bypass (via session cookie theft), advanced anti-analysis features, use of legitimate email accounts for distribution.
- First Seen: August 2023 (current version observed November 2024)
## MITRE ATT&CK Mapping
Since the kit is focused on credential theft via phishing and circumvention of security controls:
- **TA0001 - Initial Access**
- T1566 - Phishing
- T1566.001 - Spearphishing Attachment (If emails contain links)
- T1566.002 - Spearphishing Link
- **TA0005 - Defense Evasion**
- T1027 - Obfuscated Files or Information
- T1057 - Process Discovery (By detecting developer tools actions)
- **TA0006 - Credential Access**
- T1555 - Credentials from Password Stores (Implied, as session data is being sought)
## Functionality
### Core Capabilities
- **MFA/2FA Bypass:** Targets and steals Microsoft 365 session cookies to maintain access even after initial 2FA prompts.
- **Phishing Delivery:** Utilizes legitimate, often compromised, email accounts to send phishing messages, improving initial delivery success.
### Advanced Features
- **Anti-Analysis Code:** Employs obstructive source code intended to prevent automated tools and security analysts from easily analyzing the phishing web page.
- **Automated Script Detection:** Includes measures to detect and block automated security scripts, such as those associated with penetration testing tools.
- **Developer Tool Evasion:** Listens for keystrokes commonly associated with invoking web inspection tools (like F12 or developer consoles). If detected, it redirects the user to a legitimate site (e.g., OneDrive) to mask malicious activity.
- **Right-Click Disablement:** Disables the right-click context menu to hinder manual examination of page elements or source code.
- **Obfuscation:** Uses code obfuscation to hide the malicious purpose of the web page code.
- **Clipboard Hijacking:** Overwrites clipboard content when users attempt to copy text from the phishing page, potentially preventing accidental sharing of sensitive data or automated IOC scraping.
## Indicators of Compromise
*Note: Specific IOCs (Hashes, C2s) are not provided in the given text, only behavioral indicators.*
- File Hashes: [Information not available in text]
- File Names: [Information not available in text]
- Registry Keys: [Information not available in text]
- Network Indicators: [Information not available in text, C2 communication is implied for cookie exfiltration]
- Behavioral Indicators:
- Execution of scripts blocking F12/developer tool usage.
- Redirection to legitimate Microsoft domains (like OneDrive) upon detection of analysis tools.
- Disabling of context menu (right-click) functionality on the web page.
- Attempted obfuscation of HTML/JavaScript source code.
## Associated Threat Actors
- Threat actors operating Phishing-as-a-Service (PhaaS) groups are leveraging this kit. The specific group responsible for the kit's creation is not named, but its use is associated with the rising trend of sophisticated credential attacks.
## Detection Methods
- Signature-based detection: Not explicitly detailed, but customized signatures for the obfuscated code might be developed.
- Behavioral detection: Critical for detecting the use of this kit, specifically monitoring website behavior for script blocking, developer tool countermeasures, and unexpected redirection/clipboard manipulation.
- YARA rules: [Information not available in text]
## Mitigation Strategies
- Prioritize multilayered defense strategies.
- Invest in evolving security tools capable of sophisticated behavioral analysis beyond simple signatures.
- Foster a strong security culture through continuous vigilance and training.
- Implement controls that enforce strict session lifetime management for MFA tokens, minimizing the utility of stolen session cookies.
- Deploy web application security solutions capable of identifying content tampering and script evasion techniques on landing pages.
## Related Tools/Techniques
- Phishing-as-a-Service (PhaaS) platforms in general.
- Other credential harvesting tools that target Microsoft 365 (e.g., "Greatness" Phishing Tool mentioned in related articles).