HQ/EMEAFind out how we can help your business
The phishing-as-a-service platform Tycoon2FA, notorious for its ability to bypass MFA for Microsoft 365 and Gmail accounts, has undergone upgrades that enhance its stealth and evasion capabilities.
Researchers identified this PhaaS in October 2023 and later detailed substantial updates to the phishing kit that increased its complexity and effectiveness. Based on reports, its developers have made several enhancements, improving the kit’s ability to evade detection and circumvent endpoint security measures.
One of the key updates is the incorporation of invisible Unicode characters, enabling the concealment of binary data within JavaScript.
This tactic allows the payload to be decoded and executed usually at runtime, thus avoiding detection from manual analysis and static pattern-matching techniques.
Tycoon2FA found a new tactic for evading specific security solutions.
The Tycoon2FA phishing kit has transitioned from using Cloudflare Turnstile to implementing a self-hosted CAPTCHA displayed via HTML5 canvas with randomised components.
This shift likely aims to bypass fingerprinting and detection by domain reputation systems, allowing for greater customisation of the webpage content. Another significant update is the addition of anti-debugging JavaScript, which detects browser automation tools like PhantomJS and Burp Suite and blocks specific actions related to analysis.
When suspicious behaviour is detected or if the CAPTCHA fails—potential signs of security bots—the user is either presented with a decoy page or redirected to a legitimate site, such as rakuten.com.
Researchers emphasise that while these evasion techniques are not new, their combination significantly complicates detection and analysis that can reveal phishing infrastructures, potentially enabling takedowns and disruption efforts.
In a separate research, phishing attacks were significantly increased using malicious SVG (Scalable Vector Graphics) files driven by PhaaS platforms, including Tycoon2FA, Mamba2FA, and Sneaky2FA. These malicious SVGs are disguised as images representing voice messages, logos, or cloud document icons.
However, SVG files can also embed JavaScript, which runs automatically when the image is displayed in a browser. Hence, the rise of PhaaS platforms and SVG-based phishing emphasises the need for increased vigilance and sender authenticity verification.
A viable defence strategy includes blocking or flagging SVG attachments in email gateways and employing phishing-resistant MFA solutions.
