THREAT OPS › Threat News › Detecting Tycoon 2FA AiTM attacks across Entra ID and Google Workspace
Detecting Tycoon 2FA AiTM attacks across Entra ID and Google Workspace
<p>Tycoon 2FA is currently the most prolific Phishing-as-a-Service (PhaaS) platform among AiTM phishing kits. First observed in August 2023 and attributed to <a href="https://malpedia.caad.fkie.fraunhofer.de/actor/storm-1747">Storm-1747</a> (per Microsoft Threat Intelligence), the kit provides turnkey adversary-in-the-middle (AiTM) capabilities that bypass multi-factor authentication and steal aut
MITRE ATT&CK techniques
- Adversary-in-the-MiddleT1557
- SharepointT1213.002
- JavaScriptT1059.007
- Steal Web Session CookieT1539
- Permission Groups DiscoveryT1069
- Cloud GroupsT1069.003
- Spearphishing LinkT1566.002
- Spearphishing LinkT1598.003
- Cloud AccountsT1586.003
- Use Alternate Authentication MaterialT1550
- Account DiscoveryT1087
- Device RegistrationT1098.005
- Cloud AccountT1087.004
- Cloud AccountsT1585.003
- Cloud AccountT1136.003
- Account ManipulationT1098
- Valid AccountsT1078
- Multi-Factor AuthenticationT1556.006
- CredentialsT1589.001
- Web Session CookieT1550.004
- Cloud Service DiscoveryT1526
- Application Access TokenT1550.001
- Cloud AccountsT1078.004
- CompressionT1027.015
- Valid AccountsAML.T0012
- Cloud Service DiscoveryAML.T0075
- Use Alternate Authentication MaterialAML.T0091
- Application Access TokenAML.T0091.000
Indicators of compromise
- 9bd94c62a54c6b3d6054e4f1d57f014538be70bfsha1
- 8089df918f81850b28dfc3e691495f55bf30c94asha1
- b87d2f58938f67c3b74bf5ae334fad06371d4dacsha1
- d623721ec303064d1f47bcea15ae5bc3062f2b54sha1
- 3ad97fe42d0862ef3c7a93cd54afebfcee4eaac0sha1
- 696b276e628b5663a78e35c02be3d2798a318479sha1
- 0236027f5a3a675608dbec29d15dc994916e2f13sha1
- https://malpedia.caad.fkie.fraunhofer.de/actor/storm-1747url
- https://www.esentire.com/blog/tycoon-2fa-infrastructure-update-threat-actors-adapt-following-global-coalition-takedownurl
- https://any.run/malware-trends/tycoon/url
- https://spycloud.com/blog/tycoon-2fa-takedown-inside-the-global-phishing-infrastructure-disruption/url
- https://www.esentire.com/blog/tycoon-2fa-operators-adopt-oauth-device-code-phishingurl
- https://blog.sekoia.io/tycoon-2fa-an-in-depth-analysis-of-the-latest-version-of-the-aitm-phishing-kit/url
- victim@email.corpemail
- login.microsoftonline.comdomain
- 77185425430.apps.googleusercontent.comdomain