Full Report
Phishing-as-a-service (PhaaS) platform Tycoon2FA, known for bypassing multi-factor authentication on Microsoft 365 and Gmail accounts, has received updates that improve its stealth and evasion capabilities. [...]
Analysis Summary
# Tool/Technique: Tycoon2FA Phishing Kit
## Overview
Tycoon2FA is a Phishing-as-a-Service (PhaaS) platform used to facilitate sophisticated phishing attacks, primarily targeting Microsoft 365 credentials. It incorporates new anti-debugging logic and is frequently used in conjunction with malicious SVG attachments to maximize evasion and successfully redirect victims to fake login pages.
## Technical Details
- Type: Attack Tool / Phishing Kit (PhaaS)
- Platform: Web/Email targeting Microsoft 365 users.
- Capabilities: Credential harvesting, sophisticated evasion techniques (anti-debugging), redirection to fake login pages.
- First Seen: Not explicitly stated, but features new anti-debug logic mentioned in the context.
## MITRE ATT&CK Mapping
The activities related to Tycoon2FA phishing kit primarily fall under Initial Access and Credential Access tactics:
- **TA0001 - Initial Access**
- T1566 - Phishing
- T1566.001 - Spearphishing Attachment (Use of malicious SVG attachments)
- T1566.002 - Spearphishing Link (Redirection to fake login pages)
- **TA0006 - Credential Access**
- T1003 - OS Credential Dumping (Implied, as the goal is credential theft)
## Functionality
### Core Capabilities
- Provides infrastructure for setting up phishing campaigns against Microsoft 365.
- Leverages lure documents (like fake Microsoft Teams voicemail alerts).
- Attempts to steal account credentials upon user input at the fake login page.
### Advanced Features
- **Anti-Debugging Logic:** Implements evasion techniques designed to complicate forensic analysis and detection by security researchers.
- **Redirection Chain:** Successfully redirects victims through a chain, sometimes ending at legitimate sites (like rakuten[.]com) before hitting the actual phishing portal, potentially confusing initial automated scanning.
- **Malicious SVG Attachments:** Uses SVG files to deliver obfuscated JavaScript payloads via email attachments, which automatically execute upon rendering in a browser.
## Indicators of Compromise
*Note: Specific hashes or IPs are not provided in the extracted text. Indicators focus on the file type and delivery mechanism.*
- File Hashes: [Not available in context]
- File Names: [Not specified, but attachments are disguised as voice messages, logos, or cloud document icons.]
- Registry Keys: [Not applicable]
- Network Indicators: [C2 infrastructure details not specified, but leads to fake Office 365 login pages.]
- Behavioral Indicators:
- Execution of JavaScript embedded within SVG files upon rendering in a browser.
- Redirecting users from an email link or attachment execution to a Microsoft 365 login prompt.
## Associated Threat Actors
- Threat actors utilizing PhaaS platforms like Tycoon2FA, Mamba2FA, and Sneaky2FA are driving the surge in malicious SVG attachments. (Specific named state actors or groups are not linked directly to Tycoon2FA in this excerpt, only the prevalence of its associated techniques).
## Detection Methods
- Signature-based detection: Difficult due to obfuscation (base64, ROT13, XOR) of the JavaScript payload within SVGs.
- Behavioral detection: Monitoring browser sessions for unexpected redirections following the opening of email attachments or links.
- YARA rules: Potentially useful for identifying code patterns characteristic of the kit's obfuscation techniques within SVG files.
## Mitigation Strategies
- Block or flag SVG attachments in email gateways.
- Use phishing-resistant Multi-Factor Authentication (MFA) methods, such as FIDO-2 devices (hardware tokens).
- Heightened vigilance regarding sender authenticity verification, especially for unexpected alerts (e.g., voicemail notifications).
## Related Tools/Techniques
- Mamba2FA (PhaaS platform)
- Sneaky2FA (PhaaS platform)
- Malicious SVG (Scalable Vector Graphics) file attachments used for phishing.
---
# Tool/Technique: Malicious SVG Attachments in Phishing
## Overview
Malicious Scalable Vector Graphics (SVG) files are being increasingly used as email attachments in phishing campaigns, often orchestrated by PhaaS platforms like Tycoon2FA. These files disguise malicious code as standard images, leveraging the fact that browsers automatically trigger embedded JavaScript when an SVG is rendered.
## Technical Details
- Type: Attack Technique/Malicious File Format Utilization
- Platform: Email systems, targeting users who render attachments in browsers or supporting email clients.
- Capabilities: Evading email gateway detection, executing obfuscated JavaScript, redirecting targets to credential harvesting sites.
- First Seen: Reports indicate a 1,800% surge from April 2024 to March 2025.
## MITRE ATT&CK Mapping
This technique is centered on Initial Access via attachment delivery.
- **TA0001 - Initial Access**
- T1566 - Phishing
- T1566.001 - Spearphishing Attachment
## Functionality
### Core Capabilities
- Using SVG files disguised as innocuous items (voice messages, logos, icons).
- Embedding JavaScript within the SVG payload.
- Automatic execution of the JavaScript payload when the SVG is rendered.
### Advanced Features
- **Payload Obfuscation:** The embedded JavaScript is heavily obfuscated using base64 encoding, ROT13, XOR encryption, and junk code to evade static analysis.
- **Redirection:** The executed script redirects the recipient to a target phishing page (e.g., a fake Office 365 login page).
## Indicators of Compromise
- File Hashes: [Not available in context]
- File Names: [Varies, disguised as common icons/messages.]
- Registry Keys: [Not applicable]
- Network Indicators: Connection to known phishing endpoints following SVG rendering.
- Behavioral Indicators:
- Ingestion of an SVG file via email.
- Browser process initiating unexpected script execution upon opening the SVG.
- Subsequent DNS lookups or HTTP requests to non-approved domains following execution.
## Associated Threat Actors
- Threat actors utilizing PhaaS platforms like Tycoon2FA, Mamba2FA, and Sneaky2FA.
## Detection Methods
- Signature-based detection: Ineffective against heavily obfuscated code.
- Behavioral detection: Monitoring for script execution triggered by image file formats like SVG, which is anomalous.
- YARA rules: Rules designed to detect patterns of base64, ROT13, or XOR within SVG content.
## Mitigation Strategies
- Email security policies configured to block (quarantine or reject) all incoming SVG attachments.
- User training emphasizing suspicion regarding unexpected attachments, even if they appear to be images or documents.
## Related Tools/Techniques
- Tycoon2FA (PhaaS kit often associated with deploying these SVGs)
- JavaScript-based credential theft techniques.