The Tycoon 2FA, a Phishing as a Service (PhaaS) platform, has captured the attention of cybersecurityCybersecurity solutions are essential in the… experts since its appearance in August 2023. This tool represents a significant threat, especially due to its ability to bypass Multi-Factor Authentication (MFA) protections, a widely used system to protect accounts such as Microsoft 365 and Gmail. Tycoon 2FA uses the phishing AiTM (Man-in-the-Middle) technique, allowing it to collect session cookies to bypass MFA controls and access accounts and cloud services unauthorized.
Researchers from the Proofpoint team have warned that Tycoon 2FA is based on an infrastructure controlled by cybercriminals to host phishing pages, using a reverse proxy to intercept credentials entered by victims. Subsequently, these credentials are sent to the legitimate service, generating an MFA request, but the resulting session cookies are transmitted to the attackers, who can access compromised accounts.
Since late 2023, campaigns using Tycoon 2FA to steal MFA tokens have been detected. Attackers use methods such as malicious links or PDF files with QR codes sent via email, as well as fake voice messages to redirect victims to fraudulent pages. Common lures include topics related to salary bonuses or false corporate updates.
According to experts from Proofpoint, cybercriminals behind Tycoon 2FA have started selling ready-to-use phishing pages through Telegram, with prices starting at $120 for ten days of access to the service. This facilitates even attackers with little technical skill to carry out sophisticated phishing attacks.
In March 2024, an updated version of the Tycoon 2FA kit was released, with significant improvements in its JavaScript and HTML code, making it even more difficult to detect by security systems. Platforms like Evilginx and EvilProxy, which also use reverse proxies, are already being monitored and blocked by defenders, although the use of tools to steal session tokens is increasing among phishing actors and Initial Access Brokers (IAB).
To counter threats like Tycoon 2FA, experts suggest a defense-in-depth approach, combining behavioral AI, threat intelligence, and security awareness. Behavioral analysis can help identify phishing pages and suspicious activities, while increased visibility of emerging threats is key to protecting users. Additionally, educating end users on how to recognize these risks is essential to avoid falling victim to these types of attacks.