New Multi-Stage Tycoon2FA Phishing Attack Outperforms Leading Security Systems
If one believes that phishing is merely about clicking a malicious link and landing on a counterfeit login page, Tycoon2FA will challenge that notion. This innovative form of phishing-as-a-service has evolved beyond traditional tactics, presenting a complex 7-stage obstacle course designed to exhaust both human analysts and automated systems. It has already begun to bypass trusted security measures, posing a significant threat. If Security Operations Centre teams fail to identify it promptly, the repercussions could occur before anyone is aware of its presence. Tycoon2FA specifically targets high-value accounts that can access critical systems and sensitive information, including government and military agencies, as well as financial institutions ranging from global banks to regional insurers. Recent campaigns have impacted the US, UK, Canada, and Europe, with data from ANY.RUN indicating that 26% of Tycoon2FA incidents involved banking-sector analysts, highlighting the potential for severe financial and national security consequences from a single compromised login.
When analysed in a sandbox environment, Tycoon2FA reveals its meticulously crafted 7-step process, with each stage designed to thwart automated detection, wear down analysts, and conceal the final phishing panel until the end. A recent analysis session in the ANY.RUN sandbox successfully exposed the entire phishing chain within minutes. By enabling Automated Interactivity, the sandbox simulated genuine user behaviour, clicking links, completing CAPTCHAs, pressing buttons, and navigating through multi-step redirects. The detonation actions panel proved invaluable, displaying key steps taken during execution and offering helpful hints to assist analysts in maintaining the flow of the session. This feature is particularly beneficial for junior analysts, allowing them to navigate tricky stages with ease. The phishing chain initiates with a voicemail-themed email, prompting the victim to click a “Listen Here” link, which the sandbox clicks automatically, commencing the analysis without manual intervention. The link leads to a “Download PDF” prompt disguised as a new voice message, and the sandbox promptly downloads the file while preserving metadata for further examination. Opening the PDF reveals another embedded hyperlink, which ANY.RUN detects and follows automatically, ensuring that no redirection step is overlooked. A CAPTCHA challenge appears to obstruct automated scanners, but the sandbox completes it without human assistance, advancing the analysis seamlessly.
Categories: Phishing Techniques, Targeted Sectors, Security Analysis Tools
Tags: Phishing, Tycoon2FA, Obstacle Course, Security Tools, SOC Teams, Sensitive Data, Financial Institutions, Multi-Stage Attack, Automated Interactivity, CAPTCHA