Tycoon2FA leveraged by Dadsec to pilfer Microsoft 365 credentials

Hacking operation Storm-1575, also known as Dadsec, has been utilizing the Tycoon2FA phishing-as-a-service platform's infrastructure as part of a massive phishing campaign aimed at compromising Microsoft 365 credentials that commenced in August 2023, indicating the highly interdependent nature of the PhaaS landscape, GBHackers News reports.

Attacks began with the distribution of malicious emails containing QR codes or HTML attachments redirecting to phony Microsoft login pages, which have been underpinned by unique PHP resources, according to an analysis from Trustwave's Threat Intelligence Team. Additional findings revealed that both Dadsec and Tycoon2FA had domains leading to the same IP addresses and Autonomous System Numbers, which commonly used the ".ru" top-level domain, suggesting Russian origins. Researchers also discovered that Tycoon2FA was integrated with sophisticated anti-analysis features, including browser inspection tool deactivation, AES decryption, and Base64 encoding, as well as keystroke identification. Such a threat should prompt improved intrusion analysis and detection techniques, researchers added.