Skip to content
Search
  • There are no suggestions because the search field is empty.
Cancel
Get Started Now

    Security Awareness Training Blog

    • Blog
      • /
    • Phishing
      • /
    • New Phishing-as-a-Service (PhaaS) platform, 'Tycoon 2FA', Targets Microsoft 365 and Gmail Accounts

    New Phishing-as-a-Service (PhaaS) platform, 'Tycoon 2FA', Targets Microsoft 365 and Gmail Accounts

    Stu Sjouwerman | Apr 9, 2024

    PhaaS Platform MFAA new PhaaS service brings the power of bypassing multi-factor authentication (MFA) to the world’s most-used email platforms.

    At its core, Tycoon 2FA isn’t doing anything new. It uses a reverse proxy server to host a phishing web page that impersonates the legitimate email platform in question. Then it intercepts the victim's input and relays them to the legitimate service.

    But it’s how this platform does it that is sophisticated. In a deep dive analysis of the phishing kit by security vendor Sekoia, we get a glimpse into just how sophisticated and much work goes into this latest iteration of the PhaaS platform. 

    Check out the following diagram and to understand how it bypasses 2FA without letting the victim know.

    Overview-of-the-main-operations-specific-to-the-Tycoon-2FA-phishing-kit_as-of-March-2024

    Source: Sekoia

    According to Bleeping Computer’s coverage of the Sekoia analysis, there are seven stages in this attack:

    • Stage 0 – Attackers distribute malicious links via emails with embedded URLs or QR codes, tricking victims into accessing phishing pages.
    • Stage 1 – A security challenge (Cloudflare Turnstile) filters out bots, allowing only human interactions to proceed to the deceptive phishing site.
    • Stage 2 – Background scripts extract the victim's email from the URL to customize the phishing attack.
    • Stage 3 – Users are quietly redirected to another part of the phishing site, moving them closer to the fake login page.
    • Stage 4 – This stage presents a fake Microsoft login page to steal credentials, using WebSockets for data exfiltration.
    • Stage 5 – The kit mimics a 2FA challenge, intercepting the 2FA token or response to bypass security measures.
    • Stage 6 – Finally, victims are directed to a legitimate-looking page, obscuring the phishing attack success.

    According to Sekoia, Tycoon has received an estimated total of over $394K in bitcoin since the services inception back in 2019. Sekoia estimate that “several hundred Tycoon 2FA kits were sold as-a-service over half a year” since the latter part of 2024, demonstrating that this phishing kit is growing in popularity and effectiveness.

    KnowBe4 empowers your workforce to make smarter security decisions every day. Over 65,000 organizations worldwide trust the KnowBe4 platform to strengthen their security culture and reduce human risk.

    Topics: Phishing Security Culture MFA

    12 Ways to Defeat Multi-Factor Authentication On-Demand Webinar

    Webinars19Roger A. Grimes, KnowBe4's Data-Driven Defense Evangelist, explores 12 ways hackers use social engineering to trick your users into revealing sensitive data or enabling malicious code to run. Plus, he shares a hacking demo by KnowBe4's Chief Hacking Officer, Kevin Mitnick.

    Watch the Webinar

    Secure the Digital Workforce: Human + AI

    KnowBe4 empowers the modern workforce to make smarter security decisions every day. Trusted by more than 70,000 organizations worldwide, KnowBe4 is the pioneer of digital workforce security, securing both AI agents and humans. The KnowBe4 Platform provides attack simulation and training, collaboration security, and agent security powered by AIDA (Artificial Intelligence Defense Agents) and a proprietary Risk Score. The platform leverages 15 years of behavioral data to combat advanced threats including social engineering, prompt injection, and shadow AI. By securing humans and agents, KnowBe4 leads the industry in workforce trust and defense.

    Stu Sjouwerman

    ABOUT STU SJOUWERMAN

    Stu Sjouwerman (pronounced “shower-man”) is the Founder and Executive Chairman of KnowBe4, Inc., which hosts the world’s most popular integrated security awareness training and simulated phishing platform, with over 54,000 organization customers and more than 50 million users. A serial entrepreneur and data security expert with 30 years in the IT industry, Stu was the co-founder of Inc. 500 company Sunbelt Software, a multiple award-winning anti-malware software company that was acquired in 2010.

    Read more from Stu »

    Subscribe to Our Blog

    Posts By Topic

    View All