Cyberdudebivash

Your MFA Won’t Save You: How the Tycoon 2FA Phishing Kit Bypasses Security on Microsoft 365 and Gmail (Are You Next?)

, , , ,
CYBERDUDEBIVASH

Your MFA Won’t Save You: How the Tycoon 2FA Phishing Kit Bypasses Security on Microsoft 365 and Gmail (Are You Next?)

CyberDudeBivash — cyberdudebivash.com | cyberbivash.blogspot.com | cyberdudebivash-news.blogspot.com | cryptobivash.code.blog

Author: CyberDudeBivash • Date: 05 Nov 2025 (IST) • Category: AI/MFA Security • ThreatWire Special

Affiliate Disclosure: This post contains affiliate links. We may earn a commission when you buy through links on our site.

Edureka: Zero-Trust & IAM CoursesKaspersky: Endpoint & Anti-PhishAlibaba Cloud: Secure SSO & WAF

TL;DR

  • Tycoon 2FA is a phishing-as-a-service (PhaaS) kit that performs adversary-in-the-middle (AiTM) on Microsoft 365 and Gmail logins to steal session cookies and MFA codes in real time.
  • Even if users complete MFA, attackers capture the authenticated session and walk straight into mailboxes, SharePoint/Drive, and third-party apps.
  • Fix it fast: move to phishing-resistant MFA (FIDO2 security keys with device binding), enforce Conditional Access, add token binding & continuous access evaluation, and deploy gateway-level URL & content inspection for AiTM.

Fast Facts:

  • First seen: Aug 2023; active through 2024–2025 with major updates.
  • Targets: Microsoft 365 (Entra ID/Outlook/SharePoint), Gmail/Google Workspace.
  • Technique: Reverse-proxy AiTM login pages; real-time relay of creds + MFA; cookie/session theft.
  • Outcome: Full account takeover, BEC, invoice fraud, OAuth app consent abuse, inbox rules for stealth.

Contents

  1. How Tycoon 2FA Bypasses MFA (Step-by-Step)
  2. Tycoon vs EvilProxy / Whisper / VoidProxy — What’s Different?
  3. Kill Chain: From Phish to Full Cloud Takeover
  4. Hunting & IOCs (Microsoft 365 + Google Workspace)
  5. Detections: SIEM/KQL, Wazuh, and Mail Flow Rules
  6. Mitigations That Work (Engineering & Policy)
  7. Playbooks: IR, BEC Containment, Tenant Hygiene
  8. US/EU High-CPC Buyer’s Guide: Keys, Proxies, EDR/XDR
  9. FAQ
  10. References

1) How Tycoon 2FA Bypasses MFA (Step-by-Step)

  1. Lure & Gating: Victim receives a well-crafted email/SMS (often from a compromised legit account) leading to a domain that looks like Microsoft/Google. CAPTCHA and geo/IP checks filter bots and researchers.
  2. Reverse Proxy: The kit relays the victim’s credentials to the real IdP (Microsoft/Google) and mirrors the live login flow, including MFA challenges.
  3. Live MFA Relay: When the user enters the OTP or approves push, the attacker’s proxy captures the session cookies and tokens returned by the IdP.
  4. Session Hijack: The attacker replays the session cookies to access the account without needing further MFA prompts.
  5. Persistence: Inbox rules, OAuth app grants, add backup authenticators, register FIDO keys (if policy allows), and create data-exfil filters.

Why users still trust it: Tycoon 2FA dynamically mirrors official login UX (logos, locales, error codes) and sometimes chains through trusted services/redirectors to improve deliverability.

2) Tycoon vs. EvilProxy / Whisper / VoidProxy — What’s Different?

  • Tycoon 2FA: Mature AiTM kit with live relay, strong templating for Microsoft/Gmail, robust bot-evasion; widely seen in BEC and invoice-fraud chains.
  • EvilProxy: Early big-name AiTM, broad brand coverage; heavily documented in credential-stuffing + takeover ops.
  • Whisper 2FA (2025): Highly obfuscated, anti-debug, at scale (third most common in recent tracking). Good to watch.
  • VoidProxy (2025): Turn-key PhaaS with MFA interception and AI-written lures; tied to Microsoft/Google compromises via session theft.

3) Kill Chain: From Phish to Full Cloud Takeover

  1. Delivery: Compromised vendor/partner mailbox → trusted thread reply → link/open-redirect → Tycoon proxy.
  2. Credential + MFA capture: Live relay; cookie theft; optional device fingerprinting.
  3. Cloud entry: OWA/Gmail; enumerate mailboxes, OneDrive/Drive, SharePoint, Teams/Chat.
  4. Monetization: BEC/invoice redirection, payroll reroute, OAuth app malicious consent to maintain access, Google Workspace Data Export abuse.
  5. Cleanup evasion: Inbox rules (auto-forward/delete), illicit OAuth tokens, device registration, conditional access loopholes (legacy/basic auth paths if not fully blocked).

4) Hunting & IOCs (Microsoft 365 + Google Workspace)

Entra ID / M365 (KQL samples)

// Suspicious cookie-based logins (no MFA claim despite recent challenge)
SigninLogs
| where AppDisplayName in ("Office 365 Exchange Online","Office 365 SharePoint Online","Office 365")
| where AuthenticationRequirement == "singleFactorAuthentication"
| where ConditionalAccessStatus == "notApplied"
| summarize count() by UserPrincipalName, IPAddress, tostring(DeviceDetail.browser), bin(TimeGenerated, 1h)

// OAuth consent spikes (illicit app)
AuditLogs
| where OperationName == "Consent to application"
| summarize count() by TargetResources, InitiatedBy, bin(TimeGenerated, 1h)

Google Workspace (BigQuery / Admin logs)

-- New OAuth tokens + impossible travel
SELECT actor.email, event.name, event.parameters
FROM `admin.reports.audit.logins`
WHERE event.name = "login_success" AND
      (parameters.value LIKE "%newAccessToken%" OR parameters.value LIKE "%refreshToken%")

Common Tycoon infrastructure patterns include fresh domains on cheap TLDs, multi-stage redirects, and CAPTCHA gating. Track domains contacted immediately before successful logins.

5) Detections: SIEM/KQL, Wazuh, and Mail-Flow Controls

  • Mail-flow: Block known AiTM kit URLs; implement URL detonation; quarantine thread-hijack replies with mismatched sender domain + “shared doc” lures.
  • Token replay: Alert on cookie-based access from new ASNs/ISPs right after a different country performed MFA.
  • OAuth hardening: Restrict consent to verified apps; require admin consent workflow; alert on new publisher domains.
// M365 impossible travel within 15 minutes (cookie replay tell)
SigninLogs
| summarize first(TimeGenerated) as firstSeen, makeset(IPAddress) by UserPrincipalName, bin(TimeGenerated, 15m)
| where array_length(makeset_IPAddress) > 1

6) Mitigations That Actually Work (Engineering & Policy)

  1. Phishing-resistant MFA: Move VIPs/admins to FIDO2 security keys (device-bound, origin-bound). Enforce via Conditional Access/Context-Aware Access.
  2. Block legacy & insecure paths: Disable Basic/Legacy Auth entirely; enforce modern auth only; review POP/IMAP connector exceptions.
  3. Conditional Access & Device Posture: Require compliant device + managed browser for critical apps; use sign-in risk policies.
  4. Short-lived tokens & CAE: Enable Continuous Access Evaluation and reduce token lifetime so stolen cookies die fast.
  5. OAuth governance: Admin-only consent; publisher verification; CASB to monitor risky OAuth scopes.
  6. Awareness + Simulations: Run AiTM-specific simulations (not just static phishing). Teach users to spot CAPTCHAs + unexpected re-login prompts after clicking document links.

7) Playbooks: IR, BEC Containment, Tenant Hygiene

Immediate Response (0–4 hours)

  • Revoke sessions for suspected users (M365: Revoke-SignInSessions; Google: Admin security actions).
  • Reset passwords + require re-enrollment of MFA; remove suspicious backup methods.
  • Audit inbox rules and OAuth app consents; remove unknown rules/apps; check external forwarding.

Remediation (1–3 days)

  • Enable FIDO2 for admins and finance; enforce CA policies; restrict OAuth consent; CAE + short tokens.
  • Mail-flow blocks for AiTM kits; deploy browser isolation for untrusted links.
  • Run full eDiscovery on financial threads; contact banks/vendors for payment diversion checks.

Hardening (ongoing)

  • Quarterly OAuth reviews; phishing-resistant MFA for all privileged roles; continuous simulation program.

8) US/EU High-CPC Buyer’s Guide: What to Procure Now

ControlSMBMid-MarketEnterprise
Phishing-resistant MFA (FIDO2)Tata Neu Cards, vendor key packsRewardful for program affiliates + key mgmtEnterprise FIDO2 with HSM attestation
Secure E-mail & URL DefenseKasperskyAlibaba Cloud WAFSegregated secure gateways + sandbox
Training & SOC ServicesEdurekaSOC Lite + BEC playbooks24×7 Managed XDR with identity analytics

Need Help Right Now?

CyberDudeBivash offers rapid BEC triage, M365/Google tenant hardening, OAuth governance, and phishing-resistant MFA rollout.

Apps & Products Book a Consultation

9) FAQ

If MFA is enabled, how can attackers still log in?

AiTM proxies the live login, relays your MFA approval, then steals the session cookies to access your account without re-prompting.

Will FIDO2 keys really stop this?

Yes—FIDO2 ties the authentication to the browser origin and device, preventing credential replay through a rogue proxy. Pair with Conditional Access.

What’s the minimum we should do today?

Enable admin-consent only OAuth, enforce FIDO2 for admins/finance, block legacy auth, shorten token lifetimes with CAE, and implement URL detonation for doc-share lures.

10) References

  1. Tycoon 2FA background & activity, Sekoia
  2. Proofpoint analysis of Tycoon 2FA campaigns
  3. Darktrace: AiTM kits (Tycoon) abusing legit services
  4. Barracuda: Tycoon 2FA update; Whisper 2FA scale
  5. BleepingComputer: Tycoon 2FA kit targets M365/Gmail
  6. Microsoft DDR 2025: phishing-resistant MFA impact
  7. Push Security: MFA downgrade attacks
  8. SpyCloud: dataset of Tycoon-phished credentials
  9. VoidProxy PhaaS trends (Okta/press)

© 2025 CyberDudeBivash • Use the official logo and exact spelling “CyberDudeBivash”. Include brand URLs on banners/CTAs: cyberdudebivash.com | cyberbivash.blogspot.com | cyberdudebivash-news.blogspot.com | cryptobivash.code.blog.

Leave a comment

Design a site like this with WordPress.com
Get started