← Back to Pulse Feed
PULSE DETAIL
PULSE NAME
New MFA-bypassing phishing kit targets Microsoft 365, Gmail accounts
WHITE Saad Tycoon dekaRituraj 2024-03-26 Modified: 2024-03-26
70
IOCs
HIGH VOLUME
Cybercriminals have been increasingly using a new phishing-as-a-service (PhaaS) platform named 'Tycoon 2FA' to target Microsoft 365 and Gmail accounts and bypass two-factor authentication (2FA) protection. Tycoon 2FA was discovered by Sekoia analysts in October 2023 during routine threat hunting, but it has been active since at least August 2023, when the Saad Tycoon group offered it through private Telegram channels. The PhaaS kit shares similarities with other adversary-in-the-middle (AitM) platforms, such as Dadsec OTT, suggesting possible code reuse or a collaboration between developers.
tycoonphaasjavascript codec2 serversekoiaoctoberaugusthtml codemarchdadsec otttwitterfebruarybitcoincapturefinalopenwaitingfirstvidarraccoonsaad tycoon
MITRE ATT&CK & Malware Families
ATT&CK TECHNIQUES
Indicators of Compromise (1 / 70 total)
All BitcoinAddress FileHash-MD5 FileHash-SHA1 FileHash-SHA256 URL domain hostname
TYPEINDICATORDESCRIPTIONCREATED
FileHash-MD5 cfcd208495d565ef66e7dff9f98764da MD5 of 5feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9 2024-03-26
References (2)
↗ https://blog.sekoia.io/tycoon-2fa-an-in-depth-analysis-of-the-latest-version-of-the-aitm-phishing-kit/ ↗ https://www.bleepingcomputer.com/news/security/new-mfa-bypassing-phishing-kit-targets-microsoft-365-gmail-accounts/