Threat Spotlight: Tycoon 2FA phishing kit updated to evade inspection

Phishing-as-a-Service (PhaaS) provides attackers with advanced toolsets and templates that enable them to quickly deploy phishing campaigns.

The rapid rise and evolution of PhaaS is driving a fundamental change in the phishing ecosystem, making the threat increasingly complex and sophisticated. The developers behind these phishing kits invest considerable resources in their creation and continuous enhancement.

According to Barracuda threat analysts, around 30% of the credential attacks seen in 2024 made use of PhaaS, and this is expected to rise to 50% in 2025.

Barracuda monitors the activity of some of the most prominent PhaaS platforms. One of these is Tycoon.

The use of Tycoon has been widespread since August 2023. It became Tycoon 2FA when it evolved to bypass multifactor authentication — in this case 2FA — by collecting and using Microsoft 365 session cookies. The latest version of Tycoon 2FA was first seen in November 2024, and it features advanced tactics designed to obstruct, derail, and otherwise thwart attempts by security tools to confirm its malicious intent and inspect its web pages.

These tactics include:

• The use of legitimate — possibly compromised — email accounts to launch attacks
• Specially crafted source code to obstruct web page analysis
• Measures to block the use of automated security scripts and penetration-testing tools
• Listening for keystrokes that suggest web inspection and then blocking further activity
• Disabling the right-click menu that could reveal the web pages’ true intent
• Blocking users from copying meaningful text from the webpage for offline analysis

In this Threat Spotlight we dive into some of these tactics and look at how they are used to evade detection and inspection.

The latest evolution of Tycoon 2FA

Tycoon 2FA allows attackers to intercept and bypass multilayered security measures designed to protect accounts. By targeting and exploiting vulnerabilities in the 2FA process, attackers can gain unauthorized access to otherwise secure accounts.

In early November 2024, we noted a rise in the use of a new version of Tycoon that is stealthier than the earlier edition and makes use of a range of sophisticated tactics to obstruct detection and analysis.

Use of legitimate email identities

One of the significant changes compared to earlier versions of Tycoon 2FA is that the phishing emails are sent from legitimate, potentially compromised email addresses.

Examples of these phishing emails are shown below:

The actual phishing page these emails lead to is usually a fake Microsoft login page.

Sophisticated tactics prevent analysis of phishing pages

Obstructive source code

In addition to the way the phishing emails are sent, we have noticed major changes in the source code for the fake login page.

The code starts with the loading of JavaScript resources, style sheets, fonts, and meta tags that are used in the phishing page.

However, in the new version of Tycoon 2FA the typical pattern of calling external JavaScript resources, stylesheets, and meta tags is skipped, and a new script function has been added that obstructs attempts to analyze the web page (see image below).

Detecting automated security scripts

Deeper analysis of the updated Tycoon 2FA code also revealed measures to spot and block the kind of automated tools or scripts generally used by security solutions to determine whether the code is malicious, for example the ‘Burp’ penetration-testing tool.

If any such tools are detected, the user is redirected to a blank page, preventing further analysis.

Listening for keystrokes that suggest web inspection

The latest version of Tycoon 2FA can detect and block key combinations or shortcuts that are commonly used by programmers or security teams to inspect a web page, making it harder for analysts to investigate the web page for suspicious code, browser history, and more (see below).

The web page has been designed to block the action when any of these shortcuts are pressed.

We also observed an alternate version of the above script where the keys are replaced with their ASCII decimal values (see below):

If developer tools are open, the software will trigger measures that lead to delays in operation. If the delay exceeds a certain threshold, suggesting that the developer tools are active, the page will redirect the user to an unrelated, legitimate external site, in this case, https://www.onedrive.com.

Further disruptive features

Tycoon 2FA’s latest version has disabled the right-click context menu, which could otherwise allow users to inspect, save elements, or gain further insight into the page's true intent.

We also observed the use of code obfuscation to obscure the content of the web pages. This approach is often used to make the code harder to read.

Last, but not least, we observed tools used to prevent users from copying meaningful text from the web page by automatically overwriting clipboard content with a specified string, thereby hindering data extraction.

These were the most notable changes in the newest version of Tycoon 2FA. We continue to dig deeper into this phishing kit and others to learn about their functionality and how to protect everyone from such attacks.

Conclusion

In 2025, phishing is no longer a basic threat, but a complex and sophisticated attack vector that is increasingly well-resourced. PhaaS groups play a key role in driving this evolution.

We have observed Tycoon 2FA used in numerous phishing campaigns over the past months. We expect cyberattackers to continue to refine their methods to circumvent traditional security measures and thwart deeper analysis. It is essential to have agile, innovative, multilayered defense strategies and foster a strong security culture to stay ahead of this ever-evolving threat.

Look for security tools that continuously evolve in line with emerging threats, improving pattern-matching rules, monitoring IOCs, and fine-tuning security solutions.