Threat Report by NTT Security - Tycoon 2FA: A trending phishing kit
- danielmiddlemass0
- Oct 1
- 2 min read
Updated: Oct 23
In recent weeks, the SamurAI SOC has observed an uptick in phishing incidents that analysts have tied to the Tycoon 2FA phishing kit.
These phishing attacks typically start with an email containing alarmist messaging, which urges the victim to quickly follow a link. The link abuses a chain of open redirects on benign websites, a form of defense evasion that bypasses reputation-based spam filters.
After the redirects, the victim has to solve a Cloudflare Turnstile challenge to prove they are human. This is another layer of defense evasion that defeats automated sandbox analysis of links inside emails.
After this, the victim is presented with a fake Microsoft sign-in page that is pre-filled with their email address and company branding.
The SamurAI SOC has analyzed the behavior and URL patterns observed on these phishing pages and tied the activity to the Tycoon 2FA phishing kit, currently the #1 trending threat on the malware sandbox Any.run.
Detecting Tycoon 2FA Phishing Kit
Employing identity based detection methodologies such as Defender for Identity and Defender for Office 365 gives a campaign-agnostic coverage for suspicious account activity.
SamurAI MDR focuses on complementing available defenses both through additions to the SamurAI threatlist as well as custom created Sigma detection rules.
Threatlist - Indicator based coverage
The SamurAI Threatlist can detect traffic towards these phishing domains in DNS and proxy logs, both through ingestion from open-source indicator feeds, as well as SamurAI analyst engineered queries to find Tycoon 2FA instances on urlscan.io.
Sigma-rule - Pattern-based coverage
Clients who have enrolled proxy logs with TLS inspection further benefit from pattern-based detection in URL paths, which means the SOC can detect these phishing attacks even for phishing domains that haven't been added to the Threatlist. The SamurAI engineered Sigma rule for Tycoon 2FA can be viewed in our open-source Sigma Repository on GitHub.
Sigma Rule: https://github.com/SamuraiMDR/sigma-rules/blob/main/rules/proxy/microsoft_phish_tycoon_2fa.yml
Stay vigilant, apply security patches, and leverage proactive detection to protect your systems.
