Man at login screen showing phishing attacks and MFA bypass

MFA Bypass Kit Simplifies Phishing Attacks on Gmail and Microsoft 365 Accounts

A relatively new phishing-as-a-service (PaaS) tool provides MFA bypass ability for attackers targeting Gmail and Microsoft 365 accounts, requiring them to do no more than trick their targets into entering their credentials into a fake login page. This removes one of the biggest barriers to phishing attacks, and does not require any special technical knowledge on the part of the threat actor.

Security researchers with Sekoia note that the “Tycoon 2FA” service has been available since at least October 2023 and has been updated very recently to improve its domain count and evasion capability. It has slid below security radar during this time as it was offered exclusively via private Telegram channels, but the researchers believe it now has a “broad” customer base in the criminal underworld.

Tycoon MFA bypass kit intercepts user login and 2FA token via fake “man-in-the-middle” page

The Tycoon MFA bypass kit now has over 1,100 domain names serving up fake login pages to support its phishing attacks, along with an improved version released in February that is better at dodging network detection capabilities. The tool is part of a larger emerging market of phishing kits that emulate the operations of ransomware-as-a-service (RaaS) groups, with less technically capable clients paying a subscription fee to use the group’s tools and infrastructure (in this case at a starting price of $120 for 10 days of access).

The system works like standard phishing attacks, in that the threat actor must convince the target to click on a link or attachment that will then redirect them to a fake login page. Aside from having prefabricated attack pages set up for them, subscribers to the MFA bypass service get the benefit of interception of the user’s 2FA token as they complete their login. The clients are also provided with an administration panel to manage their attack campaigns and access to accounts.

The researchers believe that Tycoon is built off of a prior kit for phishing attacks called “Dadsec,” which had its source code leaked in 2023. The two services sport similar administration panels and code used in the phishing pages and authentication back-end. Sekoia says that it does not have access to the source code of Tycoon’s MFA bypass kit.

Phishing attacks persist even if victim changes login credentials

Not only does the MFA bypass kit strip the secondary layer of protection from victims, it stores session cookies on the attacker’s server. This means that the threat actor can “replay” the session to access the hacked account, which allows them to get back in even if the victim realizes they have been breached and changes their login credentials.

Tycoon phishing attacks are generally initiated by email, with the client sending a malicious link or QR code to the target. Clients are provided with templates for these as part of their subscription. The campaigns that clients conduct with the MFA bypass service appear to be more “spray and pray” than targeted spearphising, as they pepper known email addresses at target organizations with large volumes of attempts. At least one of the regular clients appears to have a strong interest in US school systems, and has used spearphishing in an attempt to compromise finance and payroll administrator accounts. However, the attacker will also target teachers and other staff members in an attempt to gain a network foothold and obtain Windows registry keys.

When intercepting a Microsoft login, the MFA bypass tool can compromise Microsoft Authenticator push notifications as well as phone call verification and OTP codes delivered by apps or SMS. The report indicates that Tycoon is also selling Gmail interception pages, but did not go into technical detail on the workings of those particular phishing attacks.

A Bitcoin wallet that has been tied to the Tycoon MFA bypass service has taken in about $394,015 over its lifespan, with hundreds of recent individual transaction amounts fitting the offered prices for various subscription lengths. However, the researchers believe just one person is maintaining the kit given the low sophistication and relatively slow pace of improvements.

The service also has a fairly substantial weakness in that the observed attack domains are easily spotted as fakes, a mix of .com and .ru extensions preceded by long trails of gibberish. A mobile device user may not have the URL visible to them as part of the attack process, however, and phone users are likely the primary target.

Max Gannon, Cyber Intelligence Analysis Manager at Cofense, notes that the primary concern with these phishing kits is that they will compromise the exact subset of users that MFA was implemented to protect in the first place, greatly reducing its overall utility: “These multi-factor authentication (MFA) bypass kits are undoubtedly effective which has likely led to some people claiming it is a failure on the part of the MFA. However, MFA prevents someone with stolen credentials from accessing resources without authorization. When victims fall prey to these MFA bypass phishing attacks, they effectively log themselves in and authorize the access that MFA simply can’t protect against. These kits essentially reset the phishing arms race to where we were before the advent of MFA, where the key factor to preventing account compromise is the person being phished.”

Erich Kron, security awareness advocate at KnowBe4, sees this as a reminder to keep up regular anti-phishing training and not assume that MFA and other automated defense measures will pick up the slack: “This attack demonstrates why it is important to educate people on how to spot and report email phishing attacks, even if they have 2FA enabled. Many people mistakenly believe that if they have 2FA enabled on an account, then the account cannot be compromised. Unfortunately, that is far from the truth. Cases such as this that target email accounts can be especially damaging for victims. Email accounts can be used very effectively in other phishing and scam campaigns. When a person receives a message from a known e-mail, especially one that may be in their contact list already, there’s an implied trust. Couple that with continuing a past conversation, and few people would be aware that they are conversing with cyber criminals. To make things worse, a compromised email account can be used to reset passwords on any number of other services, such as shopping or banking websites. Even with modern technical security controls in place, it’s more important than ever to educate people about tactics such as this so they have a much better chance of defending themselves and their organizations.”