Tycoon2FA Phishing Kit Targets Microsoft 365 With New Tricks
Summary:
Tycoon2FA is a phishing-as-a-service (PhaaS) platform that was unearthed by researchers at Sekoia back in October 2023. The phishing kit is known for bypassing multi-factor authentication on Microsoft 365 and Gmail accounts and has recently adopted several new evasion techniques to bypass endpoint detection systems. According to a new blog post by security firm Trustwave, Tycoon2FA now employs invisible Unicode characters — such as the Halfwidth Hangul Filler and Hangul Filler — to encode JavaScript using binary representations, making malicious code nearly invisible and difficult to analyze through static inspection. This obfuscation is paired with JavaScript Proxy objects that delay execution until runtime, further evading traditional detection. Tycoon has also replaced third-party CAPTCHA services like Cloudflare Turnstile with a custom HTML5 canvas-based CAPTCHA solution, featuring randomized characters and distortions to thwart automated tools and reduce fingerprinting. Additionally, Tycoon2FA now includes anti-debugging scripts to obstruct inspection and analysis from researchers. Notably, the scripts are capable of detecting browser automation tools like Burp Suite, blocking dev tools shortcuts (F12, Ctrl+Shift+I, Ctrl+U, etc.), and preventing end users from right-clicking on their cursor, effectively disabling Inspect Element.
Security Officer Comments:
The latest updates to the Tycoon2FA kit indicate a shift toward greater stealth and evasion, presenting increased challenges for detection and incident response. Although the individual techniques employed—such as custom HTML5-based CAPTCHAs, Unicode manipulation, proxy-based obfuscation, and anti-debugging measures—are not novel on their own, their strategic combination results in a more sophisticated and elusive phishing framework. HTML5-based visuals, such as custom CAPTCHA pages, can deceive users and lend a sense of legitimacy to malicious sites. Additionally, Unicode and proxy-based obfuscation techniques hinder static analysis and delay detection, while anti-debugging behaviors are designed to conceal malicious activity from both researchers and automated tools.
Suggested Corrections:
To effectively counter these increasingly sophisticated evasion techniques, security teams must move beyond traditional signature-based defenses and adopt a more proactive, behavior-focused approach. Behavior-based monitoring enables the detection of suspicious actions in real-time, such as unusual login attempts or dynamic script execution, which static analysis might miss. Furthermore, browser sandboxing provides a controlled environment to safely observe how potentially malicious content behaves, helping analysts detect threats without risking system compromise. Additionally, a deeper inspection of JavaScript patterns—such as obfuscated code, dynamic function calls, and unexpected network requests—can reveal hidden malicious intent and uncover phishing mechanisms that rely on tricking both users and automated tools.
Link(s):
https://www.bleepingcomputer.com/ne...ng-kit-targets-microsoft-365-with-new-tricks/
Tycoon2FA is a phishing-as-a-service (PhaaS) platform that was unearthed by researchers at Sekoia back in October 2023. The phishing kit is known for bypassing multi-factor authentication on Microsoft 365 and Gmail accounts and has recently adopted several new evasion techniques to bypass endpoint detection systems. According to a new blog post by security firm Trustwave, Tycoon2FA now employs invisible Unicode characters — such as the Halfwidth Hangul Filler and Hangul Filler — to encode JavaScript using binary representations, making malicious code nearly invisible and difficult to analyze through static inspection. This obfuscation is paired with JavaScript Proxy objects that delay execution until runtime, further evading traditional detection. Tycoon has also replaced third-party CAPTCHA services like Cloudflare Turnstile with a custom HTML5 canvas-based CAPTCHA solution, featuring randomized characters and distortions to thwart automated tools and reduce fingerprinting. Additionally, Tycoon2FA now includes anti-debugging scripts to obstruct inspection and analysis from researchers. Notably, the scripts are capable of detecting browser automation tools like Burp Suite, blocking dev tools shortcuts (F12, Ctrl+Shift+I, Ctrl+U, etc.), and preventing end users from right-clicking on their cursor, effectively disabling Inspect Element.
Security Officer Comments:
The latest updates to the Tycoon2FA kit indicate a shift toward greater stealth and evasion, presenting increased challenges for detection and incident response. Although the individual techniques employed—such as custom HTML5-based CAPTCHAs, Unicode manipulation, proxy-based obfuscation, and anti-debugging measures—are not novel on their own, their strategic combination results in a more sophisticated and elusive phishing framework. HTML5-based visuals, such as custom CAPTCHA pages, can deceive users and lend a sense of legitimacy to malicious sites. Additionally, Unicode and proxy-based obfuscation techniques hinder static analysis and delay detection, while anti-debugging behaviors are designed to conceal malicious activity from both researchers and automated tools.
Suggested Corrections:
To effectively counter these increasingly sophisticated evasion techniques, security teams must move beyond traditional signature-based defenses and adopt a more proactive, behavior-focused approach. Behavior-based monitoring enables the detection of suspicious actions in real-time, such as unusual login attempts or dynamic script execution, which static analysis might miss. Furthermore, browser sandboxing provides a controlled environment to safely observe how potentially malicious content behaves, helping analysts detect threats without risking system compromise. Additionally, a deeper inspection of JavaScript patterns—such as obfuscated code, dynamic function calls, and unexpected network requests—can reveal hidden malicious intent and uncover phishing mechanisms that rely on tricking both users and automated tools.
Link(s):
https://www.bleepingcomputer.com/ne...ng-kit-targets-microsoft-365-with-new-tricks/