Tycoon 2FA phishing kit bypasses MFA protections on Microsoft 365 and Gmail

A phishing kit called Tycoon 2FA is enabling attackers to bypass multi-factor authentication and steal login credentials from enterprise email users.

What happened

According to Cyber Security News, Tycoon 2FA is a sophisticated phishing-as-a-service kit that has been used in over 64,000 phishing incidents this year alone. It targets Microsoft 365 and Gmail accounts by mimicking their login pages and intercepting two-factor authentication (2FA) and multi-factor authentication (MFA) codes in real time.

The kit uses a reverse proxy and Adversary-in-the-Middle (AiTM) technique, allowing attackers to collect both login credentials and session cookies, effectively gaining access to accounts even when MFA is enabled. The campaign is distributed through malicious PDFs, SVGs, PowerPoint files, and phishing emails.

Going deeper

Tycoon 2FA phishing pages are hosted on cloud platforms like Amazon S3, Canva, and Dropbox to avoid detection. Victims are funneled through pre-redirection checks such as CAPTCHA, bot filtering, and debugger detection to ensure only real users reach the phishing page.

The phishing kit uses boilerplate templates that dynamically generate login pages based on real Microsoft server responses. These pages prompt users for authentication codes, which are relayed instantly to the legitimate login systems, letting attackers bypass MFA protections unnoticed.

The phishing workflow uses multi-stage JavaScript to avoid detection. Initial payloads are encoded and compressed using LZ-string and base64, then executed in-memory. Later stages remove their own code from the browser’s DOM (a tactic called the “DOM Vanishing Act”) to minimize forensic visibility.

Attackers also tailor their approach to server error messages to better align with organizational login policies. Final-stage payloads collect additional information, such as browser metadata and geolocation, and encrypt and transmit it to attacker-controlled servers.

What was said

Cybereason researchers who analyzed the kit noted its modular architecture and real-time data relay capabilities. They stated that Tycoon 2FA’s use of browser fingerprinting, dynamic payload generation, and adaptive phishing flows marks it as one of the most technically advanced phishing kits to date.

The big picture

Tycoon 2FA represents a turning point in phishing tactics. Instead of stealing passwords and hoping victims don’t have MFA enabled, attackers are now intercepting authentication codes in real time and taking over active sessions. It’s a direct challenge to the idea that MFA alone can stop phishing. By combining reverse proxies, dynamic web cloning, and in-memory scripts that erase their tracks, Tycoon 2FA makes detection and attribution much harder.

Research indicates that security teams need to focus on behavior, not just credentials. Organizations should track abnormal login patterns, device mismatches, and session anomalies rather than relying solely on access prompts. Tools that analyze message behavior and traffic context, like Paubox Inbound Email Security, can help identify phishing attempts that use trusted platforms or mimic legitimate communication flows. Combined with hardware-based MFA and conditional access policies, these layered defenses make it far more difficult for attackers to slip through real-time authentication barriers.

FAQs

What makes Tycoon 2FA different from other phishing kits?

Unlike traditional kits, Tycoon 2FA intercepts MFA codes in real-time by acting as a proxy between the victim and the actual service, enabling full session hijack even after MFA is completed.

How can organizations detect or prevent attacks from kits like Tycoon 2FA?

Security teams should look for session anomalies, enforce device-based access controls, and deploy AI-driven detection tools that can recognize proxy behavior and traffic manipulation patterns.

What is the 'DOM Vanishing Act' and why is it used?

It’s a technique where malicious JavaScript deletes itself from the browser’s code after execution, making it harder for researchers and tools to detect or analyze the attack.

Why do attackers use services like Dropbox or Canva to host phishing pages?

Legitimate cloud platforms offer trusted domains and SSL certificates, helping phishing pages appear more credible while bypassing some traditional security filters.

Can users protect themselves by checking for suspicious URLs or login screens?

While good hygiene helps, Tycoon 2FA creates nearly perfect replicas of real login portals. The safest measures include using phishing-resistant MFA methods (like hardware keys) and reporting unexpected login prompts or authentication requests.