A Phishing-as-a-Service campaign has been bolstered with capabilities to use legitimate email accounts to launch attacks, and use specially crafted source code to obstruct web page analysis.

Initially detected last March by Sekoia, Tycoon 2FA targeted Microsoft 365 and Gmail accounts, and had the ability to bypass two-factor authentication (2FA) protection.

New analysis from Barracuda Networks found a new version has been in use since November 2024 which “features advanced tactics designed to obstruct, derail, and otherwise thwart attempts by security tools to confirm its malicious intent and inspect its web pages.”

Stealthier

Deerendra Prasad, associate threat analyst in the Threat Analyst Team at Barracuda Networks, described it as “stealthier than the earlier edition” as it uses legitimate — possibly compromised — email accounts to launch attacks, although it was not clear on where the email addresses are sourced from.

Also, a new script function has been added that obstructs attempts to analyse the web page, with the typical pattern of calling external JavaScript resources, stylesheets, and meta tags is skipped. This also includes functions to prevent analysis of the code, and if any such tools are detected, the user is redirected to a blank page, preventing further analysis.

“We observed tools used to prevent users from copying meaningful text from the web page by automatically overwriting clipboard content with a specified string, thereby hindering data extraction,” Prasad said.

“We have observed Tycoon 2FA used in numerous phishing campaigns over the past months. We expect cyber attackers to continue to refine their methods to circumvent traditional security measures and thwart deeper analysis.”

Dan Raywood Senior Editor SC Media UK

Dan Raywood is a B2B journalist with more than 20 years of experience, including covering cybersecurity for the past 16 years. He has extensively covered topics from Advanced Persistent Threats and nation-state hackers to major data breaches and regulatory changes.

He has spoken at events including 44CON, Infosecurity Europe, RANT Conference, BSides Scotland, Steelcon and ESET Security Days.

Outside work, Dan enjoys supporting Tottenham Hotspur, managing mischievous cats, and sampling craft beers.