A new version of the phishing kit Tycoon 2FA, which uses advanced tactics to bypass multi factor authentication (MFA) and evade detection, has been analyzed by threat researchers at Barracuda.
Tycoon 2FA, which first emerged in August 2023, has undergone several updates to enhance its capabilities. The latest version, observed in November 2024, targets Microsoft 365 session cookies to bypass 2FA protections. The creators of the phishing kit have since incorporated several measures to prevent detection by automated tools and security analysts.
Key features of the new Tycoon 2FA include using legitimate, often compromised, email accounts to send phishing messages. It employs obstructive source code to prevent web page analysis and includes measures to detect and block automated security scripts such as penetration testing tools.
Additionally, it listens for keystrokes commonly used for web inspection, blocking related actions. The phishing kit disables right-click menus to hinder further examination of phishing pages and uses obfuscation to hide the malicious intent of its web page code.
These tactics make it challenging for security solutions to identify and analyze phishing pages effectively.
For instance, if developer tools are detected, the software redirects users to legitimate sites, such as OneDrive, to mask its true purpose. Additionally, Tycoon 2FA prevents users from copying text from phishing pages by overwriting clipboard content.
Impact of Tycoon 2FA on Credential Attacks
Barracuda analysts estimated that 30% of credential attacks in 2024 involved Phishing as a Service (PhaaS), with this figure expected to rise to 50% in 2025.
“In 2025, phishing is no longer a basic threat but a complex and sophisticated attack vector that is increasingly well-resourced. PhaaS groups play a key role in driving this evolution,” the company said.
As phishing attacks grow more sophisticated, companies must prioritize multilayered defense strategies and invest in evolving security tools to stay ahead of these threats. A strong security culture and constant vigilance are vital to mitigating the risks posed by advanced phishing campaigns.
“It is essential to have agile, innovative, multilayered defense strategies and foster a strong security culture to stay ahead of this ever-evolving threat. Look for security tools that continuously evolve in line with emerging threats, improving pattern-matching rules, monitoring IOCs and fine-tuning security solutions,” Barracuda concluded.
