Microsoft 365 Targeted by MFA-Bypassing Phishing Kit: How You Can Protect Your Data from Emerging Threats

MARCH 28TH, 2024

The 2023 Verizon Data Breach Investigations Report found that attackers access an organization’s data in three primary ways: stolen credentials, exploitation of vulnerabilities, and phishing. However, phishing is still the top culprit when it comes to confirmed breaches. Vade says cybercriminals sent over 1.76 billion phishing emails globally in 2023, noting that phishing-as-a-service (PhaaS) marketplaces are flourishing. 

Now, a new PhaaS platform named “Tycoon 2FA” is on the hunt for access to your data. According to the SaaS cybersecurity firm Sekoia, it’s explicitly designed to bypass the two-factor authentication (2FA) protections that secure your Microsoft 365 and Gmail data. Sadly, Sekoia also notes that the Tycoon 2FA phishing kit sells ready-to-use Microsoft 365 and Gmail phishing pages and attachment templates starting at $120 for ten days. That’s a cheap entry point for hackers hoping to access your data.

What Is Tycoon 2FA and How Does It Work?

Sekoia’s analysts discovered Tycoon 2FA during threat-hunting exercises in October 2023. The Saad Tycoon group was selling it on Telegram channels. Like other adversary-in-the-middle (AitM) platforms such as Dadsec OTT, Tycoon 2FA should heighten concerns that cybercriminals are increasingly collaborating or sharing code. 

A 2024 update of Tycoon 2FA is now stealthier than the previous version as the hackers behind it try to elude detection and attack prevention. This PhaaS service can now be found on over 1,100 domains and has been implicated in numerous phishing attacks.

Here’s how it works:

Stage 0
Deceptive emails with malicious URLs or QR codes are sent to unsuspecting victims, enticing them to visit phishing sites.

Stage 1
Once a user does so, a security solution such as Cloudflare Turnstile filters out non-human traffic, only allowing real users to proceed.

Stage 2
To customize the attack, the phishing software uses scripts to extract the victim’s email to personalize future phishing forays.

Stage 3
Nuanced redirection moves the user to a specific place on the phishing site before guiding them to a malicious login page.

Stage 4
The victim arrives at a fake Microsoft login page, their credentials are compromised, and data is exfiltrated via WebSockets.

Stage 5
The phishing software replicates the 2FA prompt, capturing the token or response and avoiding authentication.

Stage 6
Finally, the victim is diverted to an authentic-looking page, leaving them unaware of the attack.

Sekoia’s report adds that the Tycoon 2FA phishing kit has undergone substantial upgrades in its ability to avoid detection. In one example, it strategically postpones the loading of malicious resources until the user gets past the CloudFlare Turnstile challenge, using dynamically generated, apparently random URLs to cover its tracks.

The platform has also improved its ability to identify and dismiss traffic from the Tor project (a free, open-source network that allows users to access the Internet anonymously) or IP addresses associated with data centers.

Tycoon 2FA’s Wide Availability

Sekoia concludes that the scale of Tycoon 2FA’s operations is extensive, with a large base of cybercriminals using the platform for their phishing forays. The Sekoia researchers also found that the Bitcoin wallet connected to the Tycoon 2FA operation has executed over 1,800 transactions since 2019, with the wallet amassing nearly $400,000 as of this month.

To help you identify whether you’ve been compromised, Sekoia offers a repository of over 50 indicators of compromise (IoCs) associated with Tycoon 2FA.

How Unified Data Protection Helps Fight Phishing

Once a hacker gains access to your Microsoft SaaS data via Tycoon 2FA, it may be too late to prevent data loss due to the software’s exfiltration capabilities. But there is a way to ensure you can recover: Arcserve Unified Data Protection (UDP).

The solution provides unmatched depth and breadth in integrated data protection, disaster recovery, and business continuity. It protects against data loss and extended downtime across cloud, local, virtual, hyperconverged, and SaaS-based workloads for effective protection against phishing. 

That includes support for air-gap solutions, such as tape backup, where your data is physically or virtually separated from your network. A successful phishing attack can’t reach this data, so you can be sure it can be recovered.

Arcserve UDP also supports immutable storage for your backups. Immutability ensures unauthorized users can’t alter or delete your backups, so they are always available for recovery. Arcserve UDP is a cost-effective solution that adds multilayered defenses in your fight against cybercrime.

To help identify the right data protection solution for your business, talk to an Arcserve Technology Partner.

To learn more about Arcserve UDP, request a demo or sign up for a 30-day free trial.