<!DOCTYPE html> <html lang="en-us" dir="ltr" prefix="content: http://purl.org/rss/1.0/modules/content/ dc: http://purl.org/dc/terms/ foaf: http://xmlns.com/foaf/0.1/ og: http://ogp.me/ns# rdfs: http://www.w3.org/2000/01/rdf-schema# schema: http://schema.org/ sioc: http://rdfs.org/sioc/ns# sioct: http://rdfs.org/sioc/types# skos: http://www.w3.org/2004/02/skos/core# xsd: http://www.w3.org/2001/XMLSchema# " class="page-en"> <head> <script>(function(w,d,s,l,i){w[l]=w[l]||[];w[l].push({'gtm.start': new Date().getTime(),event:'gtm.js'});var f=d.getElementsByTagName(s)[0], j=d.createElement(s),dl=l!='dataLayer'?'&l='+l:'';j.async=true;j.src= 'https://www.googletagmanager.com/gtm.js?id='+i+dl;f.parentNode.insertBefore(j,f); })(window,document,'script','dataLayer','GTM-MGR7P8X');</script> <script async src="https://www.googletagmanager.com/gtag/js?id=G-B1V8SZE3GL"></script> <script>window.dataLayer = window.dataLayer || []; function gtag(){dataLayer.push(arguments);} gtag('js', new Date()); gtag('config', 'G-B1V8SZE3GL');</script> <script>(function(){var a=window.mutiny=window.mutiny||{};if(!window.mutiny.client){a.client={_queue:{}};var b=["identify","trackConversion"];var c=[].concat(b,["defaultOptOut","optOut","optIn"]);var d=function factory(c){return function(){for(var d=arguments.length,e=new Array(d),f=0;f<d;f++){e[f]=arguments[f]}a.client._queue[c]=a.client._queue[c]||[];if(b.includes(c)){return new Promise(function(b,d){a.client._queue[c].push({args:e,resolve:b,reject:d})})}else{a.client._queue[c].push({args:e})}}};c.forEach(function(b){a.client[b]=d(b)})}})();</script> <script data-cfasync="false" src="https://client-registry.mutinycdn.com/personalize/client/d454424c4514a20a.js"></script> <meta charset="utf-8" /> <meta name="description" content="Explore Tycoon 2FA, a sophisticated phishing kit used to bypass MFA. Learn how it works, what an attack looks like, detection techniques and more." /> <link rel="shortlink" href="https://www.proofpoint.com/us/blog/email-and-cloud-threats/tycoon-2fa-phishing-kit-mfa-bypass" /> <link rel="canonical" href="https://www.proofpoint.com/us/blog/email-and-cloud-threats/tycoon-2fa-phishing-kit-mfa-bypass" /> <link rel="image_src" href="https://www.proofpoint.com/sites/default/files/styles/metatag/public/blog-banners/pfpt-op-blog-banner-4.jpg.webp?itok=sg5ugY3O" /> <link rel="icon" href="/themes/custom/proofpoint/apps/drupal/favicon.ico" /> <link rel="mask-icon" href="/themes/custom/proofpoint/apps/drupal/images/favicons/favicon.svg" /> <link rel="icon" sizes="16x16" href="/themes/custom/proofpoint/apps/drupal/images/favicons/favicon-16x16.png" /> <link rel="icon" sizes="32x32" href="/themes/custom/proofpoint/apps/drupal/images/favicons/favicon-32x32.png" /> <link rel="icon" sizes="96x96" href="/themes/custom/proofpoint/apps/drupal/images/favicons/favicon-96x96.png" /> <link rel="icon" sizes="192x192" href="/themes/custom/proofpoint/apps/drupal/images/favicons/favicon-192x192.png" /> <link rel="apple-touch-icon" href="/themes/custom/proofpoint/apps/drupal/images/favicons/favicon-60x60.png" /> <link rel="apple-touch-icon" sizes="72x72" href="/themes/custom/proofpoint/apps/drupal/images/favicons/favicon-72x72.png" /> <link rel="apple-touch-icon" sizes="76x76" href="/themes/custom/proofpoint/apps/drupal/images/favicons/favicon-76x76.png" /> <link rel="apple-touch-icon" sizes="114x114" href="/themes/custom/proofpoint/apps/drupal/images/favicons/favicon-114x114.png" /> <link rel="apple-touch-icon" sizes="120x120" href="/themes/custom/proofpoint/apps/drupal/images/favicons/favicon-120x120.png" /> <link rel="apple-touch-icon" sizes="144x144" href="/themes/custom/proofpoint/apps/drupal/images/favicons/favicon-144x144.png" /> <link rel="apple-touch-icon" sizes="152x152" href="/themes/custom/proofpoint/apps/drupal/images/favicons/favicon-152x152.png" /> <link rel="apple-touch-icon" sizes="180x180" href="/themes/custom/proofpoint/apps/drupal/images/favicons/favicon-180x180.png" /> <link rel="apple-touch-icon-precomposed" href="/themes/custom/proofpoint/apps/drupal/images/favicons/favicon-57x57.png" /> <link rel="apple-touch-icon-precomposed" sizes="72x72" href="/themes/custom/proofpoint/apps/drupal/images/favicons/favicon-72x72.png" /> <link rel="apple-touch-icon-precomposed" sizes="76x76" href="/themes/custom/proofpoint/apps/drupal/images/favicons/favicon-76x76.png" /> <link rel="apple-touch-icon-precomposed" sizes="114x114" href="/themes/custom/proofpoint/apps/drupal/images/favicons/favicon-114x114.png" /> <link rel="apple-touch-icon-precomposed" sizes="120x120" href="/themes/custom/proofpoint/apps/drupal/images/favicons/favicon-120x120.png" /> <link rel="apple-touch-icon-precomposed" sizes="144x144" href="/themes/custom/proofpoint/apps/drupal/images/favicons/favicon-144x144.png" /> <link rel="apple-touch-icon-precomposed" sizes="152x152" href="/themes/custom/proofpoint/apps/drupal/images/favicons/favicon-152x152.png" /> <link rel="apple-touch-icon-precomposed" sizes="180x180" href="/themes/custom/proofpoint/apps/drupal/images/favicons/favicon-180x180.png" /> <meta property="og:site_name" content="Proofpoint" /> <meta property="og:type" content="website" /> <meta property="og:url" content="https://www.proofpoint.com/us/blog/email-and-cloud-threats/tycoon-2fa-phishing-kit-mfa-bypass" /> <meta property="og:title" content="Tycoon 2FA: Phishing Kit Being Used to Bypass MFA | Proofpoint US" /> <meta property="og:description" content="Explore Tycoon 2FA, a sophisticated phishing kit used to bypass MFA. Learn how it works, what an attack looks like, detection techniques and more." /> <meta property="og:image" content="https://www.proofpoint.com/sites/default/files/styles/metatag/public/blog-banners/pfpt-op-blog-banner-4.jpg.webp?itok=sg5ugY3O" /> <meta property="og:image:url" content="https://www.proofpoint.com/sites/default/files/styles/metatag/public/blog-banners/pfpt-op-blog-banner-4.jpg.webp?itok=sg5ugY3O" /> <meta property="og:image:secure_url" content="https://www.proofpoint.com/sites/default/files/styles/metatag/public/blog-banners/pfpt-op-blog-banner-4.jpg.webp?itok=sg5ugY3O" /> <meta property="article:published_time" content="2024-05-08T14:40:10-07:00" /> <meta property="article:modified_time" content="2024-05-09T09:06:50-07:00" /> <meta name="twitter:card" content="summary_large_image" /> <meta name="twitter:description" content="Explore Tycoon 2FA, a sophisticated phishing kit used to bypass MFA. Learn how it works, what an attack looks like, detection techniques and more." /> <meta name="twitter:title" content="Tycoon 2FA: Phishing Kit Being Used to Bypass MFA | Proofpoint US" /> <meta name="twitter:site" content="@proofpoint" /> <meta name="twitter:url" content="https://www.proofpoint.com/us/blog/email-and-cloud-threats/tycoon-2fa-phishing-kit-mfa-bypass" /> <meta name="twitter:image" content="https://www.proofpoint.com/sites/default/files/styles/metatag/public/blog-banners/pfpt-op-blog-banner-4.jpg.webp?itok=sg5ugY3O" /> <script data-cfasync="false" type="text/javascript" id="vwoCode">window._vwo_code=window._vwo_code || (function() { var account_id=767242, version=1.3, settings_tolerance=2000, library_tolerance=2500,z use_existing_jquery=false, is_spa=1, hide_element='body', /* DO NOT EDIT BELOW THIS LINE */ f=false,d=document,code={use_existing_jquery:function(){return use_existing_jquery},library_tolerance:function(){return library_tolerance},finish:function(){if(!f){f=true;var e=d.getElementById('_vis_opt_path_hides');if(e)e.parentNode.removeChild(e)}},finished:function(){return f},load:function(e){var t=d.createElement('script');t.fetchPriority='high';t.src=e;t.type='text/javascript';t.innerText;t.onerror=function(){_vwo_code.finish()};d.getElementsByTagName('head')[0].appendChild(t)},init:function(){window.settings_timer=setTimeout(function(){_vwo_code.finish()},settings_tolerance);var e=d.createElement('style'),t=hide_element?hide_element+'{opacity:0 !important;filter:alpha(opacity=0) !important;background:none !important;}':'',i=d.getElementsByTagName('head')[0];e.setAttribute('id','_vis_opt_path_hides');e.setAttribute('nonce',document.querySelector('#vwoCode').nonce);e.setAttribute('type','text/css');if(e.styleSheet)e.styleSheet.cssText=t;else e.appendChild(d.createTextNode(t));i.appendChild(e);this.load('https://dev.visualwebsiteoptimizer.com/j.php?a='+account_id+'&u='+encodeURIComponent(d.URL)+'&f='+ +is_spa+'&vn='+version);return settings_timer}};window._vwo_settings_timer = code.init();return code;}());</script> <meta name="facebook-domain-verification" content="l349mr2tyecyl7w3a1146378lqxru1" /> <meta name="MobileOptimized" content="width" /> <meta name="HandheldFriendly" content="true" /> <meta name="viewport" content="width=device-width, initial-scale=1.0" /> <link rel="preload" href="/themes/custom/proofpoint/dist/app-drupal/assets/fonts/proofpoint.woff2" as="font" crossorigin="anonymous" /> <link rel="preload" href="/themes/custom/proofpoint/dist/app-drupal/assets/fonts/RobotoCondensed-Regular-webfont.woff" as="font" crossorigin="anonymous" /> <link rel="preload" href="/themes/custom/proofpoint/dist/app-drupal/assets/fonts/fjalla-one-v7-latin-regular.woff" as="font" crossorigin="anonymous" /> <link rel="preload" href="/themes/custom/proofpoint/dist/app-drupal/assets/fonts/fjalla-one-v7-latin-regular.woff2" as="font" crossorigin="anonymous" /> <link rel="preload" href="/themes/custom/proofpoint/dist/app-drupal/assets/fonts/RobotoCondensed-Bold-webfont.woff" as="font" crossorigin="anonymous" /> <link rel="alternate" hreflang="en-us" href="https://www.proofpoint.com/us/blog/email-and-cloud-threats/tycoon-2fa-phishing-kit-mfa-bypass" /> <link rel="alternate" hreflang="en-gb" href="https://www.proofpoint.com/uk/blog/email-and-cloud-threats/tycoon-2fa-phishing-kit-mfa-bypass" /> <link rel="alternate" hreflang="en-au" href="https://www.proofpoint.com/au/blog/email-and-cloud-threats/tycoon-2fa-phishing-kit-mfa-bypass" /> <title>Tycoon 2FA: Phishing Kit Being Used to Bypass MFA | Proofpoint US</title> <link rel="stylesheet" media="all" href="/sites/default/files/css/css_SzsfcKm17EaxTSftk5pG4vhuvmtTMk2JTGHvDvyHSOU.css?delta=0&amp;language=en&amp;theme=particle&amp;include=eJxdkMFuAyEMRH9oEap66d9ENnEALdjImEj9-7K5wPZiycNoxo_WHvnrh30BjgMiuScZBRM9WntU0JNMfB0c0pn50jqBhuSH5dKv3RJV8iZSEPTov92oeoRORwO1HAr5IEqbFZABMXNcjigSC7mXsPWlvkSM1L2_P70JlPxnWsqbC4vEvYuN2FybLHozhdP1gT1oRnI4zITXeyJ43i5CnUrQUfFf1QpZ-pZ79dxjJwHDe2MtglAclfkZE_cP6VGUfg" /> <link rel="stylesheet" media="all" href="/sites/default/files/css/css_8ecnUogkowN7sYBLQ7Tqbcqe0r3rbujwh1eXZu6Z_X8.css?delta=1&amp;language=en&amp;theme=particle&amp;include=eJxdkMFuAyEMRH9oEap66d9ENnEALdjImEj9-7K5wPZiycNoxo_WHvnrh30BjgMiuScZBRM9WntU0JNMfB0c0pn50jqBhuSH5dKv3RJV8iZSEPTov92oeoRORwO1HAr5IEqbFZABMXNcjigSC7mXsPWlvkSM1L2_P70JlPxnWsqbC4vEvYuN2FybLHozhdP1gT1oRnI4zITXeyJ43i5CnUrQUfFf1QpZ-pZ79dxjJwHDe2MtglAclfkZE_cP6VGUfg" /> <script src="/sites/default/files/js/js_Wi8RdyzDF-uwGcwq9eMv1Giiu7RfMo7nYneG5kg6rd4.js?scope=header&amp;delta=0&amp;language=en&amp;theme=particle&amp;include=eJxdkMFuAyEMRH9oEap66d9ENnEALdjImEj9-7K5wPZiycNoxo_WHvnrh30BjgMiuScZBRM9WntU0JNMfB0c0pn50jqBhuSH5dKv3RJV8iZSEPTov92oeoRORwO1HAr5IEqbFZABMXNcjigSC7mXsPWlvkSM1L2_P70JlPxnWsqbC4vEvYuN2FybLHozhdP1gT1oRnI4zITXeyJ43i5CnUrQUfFf1QpZ-pZ79dxjJwHDe2MtglAclfkZE_cP6VGUfg"></script> <script src="https://platform-api.sharethis.com/js/sharethis.js#property=6543fd1a2398960013d900a7&amp;product=inline-share-buttons&amp;source=platform"></script> </head> <body class="path-node"> <a href="#main-content" class="visually-hidden focusable"> Skip to main content </a> <div class="limit-width-wrapper"> <div class="dialog-off-canvas-main-canvas" data-off-canvas-main-canvas> <div class="header-nav__spacer"></div> <div class="header-nav js-is-top"> <div class="header-nav__extra"> <div class="header-nav__extra-wrap"> <div class="header-nav__top-language" data-open="content:x_lng"> <span>English (Americas)</span> </div> <div class="header-nav__actions"> <div class="header-nav__top-search" data-open="content:x_sch"> <span>Search</span> </div> <div class="header-nav__top-login" data-open="content:x_lgn"> <span>Login</span> </div> </div> </div> </div> <div class="header-nav__main"> <div class="header-nav__main-wrap"> <div class="header-nav__expand" data-open="home"></div> <ul class="header-nav__top-links"> <li class="header-nav__top-link"> <div data-open="content:platform_panel" class="header-nav__top-link-text"> Platform </div> </li> <li class="header-nav__top-link"> <div data-open="content:products_panel" class="header-nav__top-link-text"> Products </div> </li> <li class="header-nav__top-link"> <div data-open="content:solutions_panel" class="header-nav__top-link-text"> Solutions </div> </li> </ul> <a href="/us" class="header-nav__logo">Proofpoint</a> <div class="header-nav__buttons"> <a href=/us/contact class="global-elements__cta-button--outline header-nav__button" > <span>Contact</span> <div class="global-elements__cta-button--arrow-wrapper"></div> </a> </div> <div class="header-nav__mobile-actions"> <div class="header-nav__mobile-search" data-open="content:x_sch">Search</div> <div class="header-nav__mobile-menu" data-open="home"></div> </div> </div> </div> </div> <div class="header-nav__menu"> <div class="header-nav__menu-wrapper"> <div class="header-nav__menu-close"></div> <div class="header-nav__menu-pane" data-home={true}> <ul class="header-nav__home-links"> <li class="header-nav__home-link" data-open="content:platform_panel" ><span>Platform</span></li> <li class="header-nav__home-link" data-open="content:products_panel" ><span>Products</span></li> <li class="header-nav__home-link" data-open="content:solutions_panel" ><span>Solutions</span></li> <li class="header-nav__home-link" data-open="content:partners_panel" ><span>Partners</span></li> <li class="header-nav__home-link" data-open="content:resources_panel" ><span>Resources</span></li> <li class="header-nav__home-link" data-open="content:company_panel" ><span>Company</span></li> </ul> <div class="header-nav__menu-extras"> <div class="header-nav__menu-search" data-open="content:x_sch">Search</div> <div class="header-nav__menu-login" data-open="content:x_lgn">Login</div> <div class="header-nav__menu-language" data-open="content:x_lng">English (Americas)</div> </div> </div> <div class="header-nav__menu-pane" data-sublinks="Platform"> <div class="header-nav__sublinks"> <div class="header-nav__expand-title">Platform</div> <ul class="header-nav__expand-links"> </ul> </div> </div> <div class="header-nav__menu-pane" data-sublinks="Products"> <div class="header-nav__sublinks"> <div class="header-nav__expand-title">Products</div> <ul class="header-nav__expand-links"> </ul> </div> </div> <div class="header-nav__menu-pane" data-sublinks="Solutions"> <div class="header-nav__sublinks"> <div class="header-nav__expand-title">Solutions</div> <ul class="header-nav__expand-links"> </ul> </div> </div> <div class="header-nav__menu-pane" data-sublinks="Partners"> <div class="header-nav__sublinks"> <div class="header-nav__expand-title">Partners</div> <ul class="header-nav__expand-links"> </ul> </div> </div> <div class="header-nav__menu-pane" data-sublinks="Resources"> <div class="header-nav__sublinks"> <div class="header-nav__expand-title">Resources</div> <ul class="header-nav__expand-links"> </ul> </div> </div> <div class="header-nav__menu-pane" data-sublinks="Company"> <div class="header-nav__sublinks"> <div class="header-nav__expand-title">Company</div> <ul class="header-nav__expand-links"> </ul> </div> </div> <div class="header-nav__menu-pane" data-content="products_panel"> <div class="header-nav__content"> <a href="/us/products/protect-people" class="header-nav__content-link-group-anchor"> <div class="header-nav__content-link-group"> <div class="header-nav__content-group-title">Protect People</div> <div class="header-nav__content-group-desc">Multi-layered, adaptive defenses for threat detection, impersonation, and supplier risk.</div> </div> </a> <div class="header-nav__content-link"> <a href="/us/products/threat-defense" class="header-nav__content-link-text">Email Security</a> </div> <div class="header-nav__content-link"> <a href="/us/products/impersonation-protection" class="header-nav__content-link-text">Impersonation Protection</a> </div> <div class="header-nav__content-link"> <a href="#" class="header-nav__content-link-text" data-open="content:products_more_tp_products_panel">More products</a> </div> <a href="/us/products/defend-data" class="header-nav__content-link-group-anchor"> <div class="header-nav__content-link-group"> <div class="header-nav__content-group-title">Defend Data</div> <div class="header-nav__content-group-desc">Transform your information protection with a human-centric, omni-channel approach.</div> </div> </a> <div class="header-nav__content-link"> <a href="/us/products/data-loss-prevention" class="header-nav__content-link-text">Enterprise DLP</a> </div> <div class="header-nav__content-link"> <a href="/us/products/adaptive-email-dlp" class="header-nav__content-link-text">Adaptive Email DLP</a> </div> <div class="header-nav__content-link"> <a href="/us/products/insider-threat-management" class="header-nav__content-link-text">Insider Threat Management</a> </div> <div class="header-nav__content-link"> <a href="/us/products/compliance-and-archiving" class="header-nav__content-link-text">Intelligent Compliance</a> </div> <div class="header-nav__content-link-group"> <div class="header-nav__content-group-title">Mitigate Human Risk</div> <div class="header-nav__content-group-desc">Unlock full user risk visibility and drive behavior change.</div> </div> <div class="header-nav__content-link"> <a href="/us/products/mitigate-human-risk" class="header-nav__content-link-text">Security Awareness</a> </div> <div class="header-nav__content-link-group"> <div class="header-nav__content-group-title">Augment Your Capabilities</div> </div> <div class="header-nav__content-link"> <a href="/us/products/premium-services" class="header-nav__content-link-text">Managed Services</a> </div> <div class="header-nav__content-link"> <a href="/us/products/packages" class="header-nav__content-link-text">Product Packages</a> </div> <div class="header-nav__content-link-spacer"></div> </div> </div> <div class="header-nav__menu-pane" data-content="products_more_tp_products_panel"> <div class="header-nav__content"> <div class="header-nav__content-heading">More Protect People Products</div> <div class="header-nav__content-link"> <a href="/us/products/identity-protection" class="header-nav__content-link-text">Account Take-Over and Identity Protection</a> <div class="header-nav__content-link-desc">Secure vulnerable identities, stop lateral movement and privilege escalation.</div> </div> <div class="header-nav__content-link"> <a href="/us/products/adaptive-email-security" class="header-nav__content-link-text">Adaptive Email Security</a> <div class="header-nav__content-link-desc">Stop more threats with a fully integrated layer of behavioral AI.</div> </div> <div class="header-nav__content-link"> <a href="/us/products/email-security-and-protection/secure-email-relay" class="header-nav__content-link-text">Secure Email Relay</a> <div class="header-nav__content-link-desc">Secure your application email and accelerate DMARC implementation</div> </div> </div> </div> <div class="header-nav__menu-pane" data-content="solutions_panel"> <div class="header-nav__content"> <div class="header-nav__content-link-group"> <div class="header-nav__content-group-title">Solutions by Use Case</div> <div class="header-nav__content-group-desc">How Proofpoint protects your people and data.</div> </div> <div class="header-nav__content-link"> <a href="/us/solutions/email-authentication-with-dmarc" class="header-nav__content-link-text">Authenticate Your Email</a> <div class="header-nav__content-link-desc">Protect your email deliverability with DMARC.</div> </div> <div class="header-nav__content-link"> <a href="/us/solutions/combat-email-and-cloud-threats" class="header-nav__content-link-text">Combat Email and Cloud Threats</a> <div class="header-nav__content-link-desc">Protect your people from email and cloud threats with an intelligent and holistic approach.</div> </div> <div class="header-nav__content-link"> <a href="#" class="header-nav__content-link-text" data-open="content:solutions_by_use_case_panel">More use cases</a> </div> <div class="header-nav__content-link-group"> <div class="header-nav__content-group-title">Solutions by Industry</div> <div class="header-nav__content-group-desc">People-centric solutions for your organization.</div> </div> <div class="header-nav__content-link"> <a href="/us/solutions/federal" class="header-nav__content-link-text">Federal Government</a> <div class="header-nav__content-link-desc">Cybersecurity for federal government agencies.</div> </div> <div class="header-nav__content-link"> <a href="/us/solutions/state-and-local-government" class="header-nav__content-link-text">State and Local Government</a> <div class="header-nav__content-link-desc">Protecting the public sector, and the public from cyber threats.</div> </div> <div class="header-nav__content-link"> <a href="#" class="header-nav__content-link-text" data-open="content:solutions_by_industry_panel">More industries</a> </div> <a href="/us/compare" class="header-nav__content-link-group-anchor"> <div class="header-nav__content-link-group"> <div class="header-nav__content-group-title">Comparing Proofpoint</div> <div class="header-nav__content-group-desc">Evaluating cybersecurity vendors? Check out our side-by-side comparisons.</div> </div> </a> <div class="header-nav__content-link"> <a href="#" class="header-nav__content-link-text" data-open="content:compare_proofpoint_panel">View comparisons</a> </div> </div> </div> <div class="header-nav__menu-pane" data-content="solutions_by_use_case_panel"> <div class="header-nav__content"> <h3 class="header-nav__content-title">Solutions By Use Case</h3> <div class="header-nav__content-heading">How Proofpoint protects your people and data.</div> <div class="header-nav__content-link"> <a href="/us/solutions/change-user-behavior" class="header-nav__content-link-text">Change User Behavior</a> <div class="header-nav__content-link-desc">Help your employees identify, resist and report attacks before the damage is done.</div> </div> <div class="header-nav__content-link"> <a href="/us/solutions/combat-data-loss-and-insider-risk" class="header-nav__content-link-text">Combat Data Loss and Insider Risk</a> <div class="header-nav__content-link-desc">Prevent data loss via negligent, compromised and malicious insiders.</div> </div> <div class="header-nav__content-link"> <a href="/us/solutions/enable-intelligent-compliance" class="header-nav__content-link-text">Modernize Compliance and Archiving</a> <div class="header-nav__content-link-desc">Manage risk and data retention needs with a modern compliance and archiving solution.</div> </div> <div class="header-nav__content-link"> <a href="/us/solutions/protect-cloud-apps" class="header-nav__content-link-text">Protect Cloud Apps</a> <div class="header-nav__content-link-desc">Keep your people and their cloud apps secure by eliminating threats and data loss.</div> </div> <div class="header-nav__content-link"> <a href="/us/solutions/prevent-loss-from-ransomware" class="header-nav__content-link-text">Prevent Loss from Ransomware</a> <div class="header-nav__content-link-desc">Learn about this growing threat and stop attacks by securing ransomware&#039;s top vector: email.</div> </div> <div class="header-nav__content-link"> <a href="/us/solutions/secure-microsoft-365" class="header-nav__content-link-text">Secure Microsoft 365</a> <div class="header-nav__content-link-desc">Implement the best security and compliance solution for Microsoft 365.</div> </div> </div> </div> <div class="header-nav__menu-pane" data-content="solutions_by_industry_panel"> <div class="header-nav__content"> <h3 class="header-nav__content-title">Solutions By Industry</h3> <div class="header-nav__content-heading">People-centric solutions for your organization.</div> <div class="header-nav__content-link"> <a href="/us/solutions/higher-education-security" class="header-nav__content-link-text">Higher Education</a> <div class="header-nav__content-link-desc">A higher level of security for higher education.</div> </div> <div class="header-nav__content-link"> <a href="/us/solutions/financial-services-and-insurance" class="header-nav__content-link-text">Financial Services</a> <div class="header-nav__content-link-desc">Eliminate threats, build trust and foster growth for your organization.</div> </div> <div class="header-nav__content-link"> <a href="/us/solutions/healthcare-information-security" class="header-nav__content-link-text">Healthcare</a> <div class="header-nav__content-link-desc">Protect clinicians, patient data, and your intellectual property against advanced threats.</div> </div> <div class="header-nav__content-link"> <a href="/us/solutions/mobile-message-security-solutions-for-service-providers" class="header-nav__content-link-text">Mobile Operators</a> <div class="header-nav__content-link-desc">Make your messaging environment a secure environment.</div> </div> <div class="header-nav__content-link"> <a href="/us/solutions/email-security-solutions-for-service-providers" class="header-nav__content-link-text">Internet Service Providers</a> <div class="header-nav__content-link-desc">Cloudmark email protection.</div> </div> <div class="header-nav__content-link"> <a href="/us/solutions/protection-compliance-small-business" class="header-nav__content-link-text">Small and Medium Businesses</a> <div class="header-nav__content-link-desc">Big-time security for small business.</div> </div> </div> </div> <div class="header-nav__menu-pane" data-content="compare_proofpoint_panel"> <div class="header-nav__content"> <h3 class="header-nav__content-title">Proofpoint vs. the competition</h3> <div class="header-nav__content-heading">Side-by-side comparisons.</div> <div class="header-nav__content-link"> <a href="/us/compare/proofpoint-vs-abnormal-security" class="header-nav__content-link-text">Proofpoint vs. Abnormal Security</a> </div> <div class="header-nav__content-link"> <a href="/us/compare/proofpoint-vs-mimecast" class="header-nav__content-link-text">Proofpoint vs. Mimecast</a> </div> <div class="header-nav__content-link"> <a href="/us/compare/proofpoint-vs-cisco" class="header-nav__content-link-text">Proofpoint vs. Cisco</a> </div> <div class="header-nav__content-link"> <a href="/us/compare/proofpoint-vs-microsoft" class="header-nav__content-link-text">Proofpoint vs Microsoft</a> </div> <div class="header-nav__content-link"> <a href="/us/compare/proofpoint-vs-microsoft-purview" class="header-nav__content-link-text">Proofpoint vs. Microsoft Purview</a> </div> <div class="header-nav__content-link"> <a href="/us/compare/proofpoint-vs-legacy-dlp" class="header-nav__content-link-text">Proofpoint vs. Legacy DLP</a> </div> </div> </div> <div class="header-nav__menu-pane" data-content="partners_panel"> <div class="header-nav__content"> <h3 class="header-nav__content-title">Partners</h3> <div class="header-nav__content-heading">Deliver Proofpoint solutions to your customers.</div> <a href=https://partners.proofpoint.com class="global-elements__cta-button header-nav__content-button" > <span>Channel Partners</span> <div class="global-elements__cta-button--arrow-wrapper"></div> </a> <div class="header-nav__content-link"> <a href="/us/partners/trusted-data-solutions-partnership" class="header-nav__content-link-text">Archive Extraction Partners</a> <div class="header-nav__content-link-desc">Learn about Extraction Partners.</div> </div> <div class="header-nav__content-link"> <a href="/us/global-system-integrator-gsi-and-global-managed-service-provider-msp-partners" class="header-nav__content-link-text">GSI and MSP Partners</a> <div class="header-nav__content-link-desc">Learn about our global consulting.</div> </div> <div class="header-nav__content-link"> <a href="/us/partners/technology-alliance-partners" class="header-nav__content-link-text">Technology and Alliance Partners</a> <div class="header-nav__content-link-desc">Learn about our relationships.</div> </div> <div class="header-nav__content-link"> <a href="/us/partners/digital-risk-and-compliance-partners" class="header-nav__content-link-text">Social Media Protection Partners</a> <div class="header-nav__content-link-desc">Learn about the technology and....</div> </div> <div class="header-nav__content-link"> <a href="/us/channel-partners-small-and-medium-business" class="header-nav__content-link-text">Proofpoint Essentials Partner Programs</a> <div class="header-nav__content-link-desc">Small Business Solutions .</div> </div> <div class="header-nav__content-link"> <a href="https://partners.proofpoint.com/prm/English/s/applicant" class="header-nav__content-link-text">Become a Channel Partner</a> </div> </div> </div> <div class="header-nav__menu-pane" data-content="resources_panel"> <div class="header-nav__content"> <h3 class="header-nav__content-title">Resources</h3> <div class="header-nav__content-heading">Find reports, webinars, blogs, events, podcasts and more.</div> <a href=/us/resources class="global-elements__cta-button header-nav__content-button" > <span>Resource Library</span> <div class="global-elements__cta-button--arrow-wrapper"></div> </a> <div class="header-nav__content-link"> <a href="/us/blog" class="header-nav__content-link-text">Blog</a> <div class="header-nav__content-link-desc">Keep up with the latest news and happenings.</div> </div> <div class="header-nav__content-link"> <a href="/us/webinars" class="header-nav__content-link-text">Webinars</a> <div class="header-nav__content-link-desc">Browse our webinar library to learn about the latest threats, trends and issues in cybersecurity.</div> </div> <div class="header-nav__content-link"> <a href="/us/cybersecurity-academy" class="header-nav__content-link-text">Cybersecurity Academy</a> <div class="header-nav__content-link-desc">Earn your certification to become a Proofpoint Certified Guardian.</div> </div> <div class="header-nav__content-link"> <a href="/us/podcasts" class="header-nav__content-link-text">Podcasts</a> <div class="header-nav__content-link-desc">Learn about the human side of cybersecurity.</div> </div> <div class="header-nav__content-link"> <a href="/us/new-perimeters" class="header-nav__content-link-text">New Perimeters Magazine</a> <div class="header-nav__content-link-desc">Get the latest cybersecurity insights in your hands.</div> </div> <div class="header-nav__content-link"> <a href="/us/threat-reference" class="header-nav__content-link-text">Threat Glossary</a> <div class="header-nav__content-link-desc">Learn about the latest security threats.</div> </div> <div class="header-nav__content-link"> <a href="/us/events" class="header-nav__content-link-text">Events</a> <div class="header-nav__content-link-desc">Connect with us at events to learn how to protect your people and data from ever-evolving threats.</div> </div> <div class="header-nav__content-link"> <a href="/us/customer-stories" class="header-nav__content-link-text">Customer Stories</a> <div class="header-nav__content-link-desc">Read how our customers solve their most pressing cybersecurity challenges.</div> </div> </div> </div> <div class="header-nav__menu-pane" data-content="company_panel"> <div class="header-nav__content"> <h3 class="header-nav__content-title">Company</h3> <div class="header-nav__content-heading">Proofpoint protects organizations' greatest assets and biggest risks: their people.</div> <a href=/us/company/about class="global-elements__cta-button header-nav__content-button" > <span>About Proofpoint</span> <div class="global-elements__cta-button--arrow-wrapper"></div> </a> <div class="header-nav__content-link"> <a href="/us/why-proofpoint" class="header-nav__content-link-text">Why Proofpoint</a> <div class="header-nav__content-link-desc">Learn about our unique people-centric approach to protection.</div> </div> <div class="header-nav__content-link"> <a href="/us/company/careers" class="header-nav__content-link-text">Careers</a> <div class="header-nav__content-link-desc">Stand out and make a difference at one of the world&#039;s leading cybersecurity companies.</div> </div> <div class="header-nav__content-link"> <a href="/us/newsroom" class="header-nav__content-link-text">News Center</a> <div class="header-nav__content-link-desc">Read the latest press releases, news stories and media highlights about Proofpoint.</div> </div> <div class="header-nav__content-link"> <a href="/us/legal/trust" class="header-nav__content-link-text">Privacy and Trust</a> <div class="header-nav__content-link-desc">Learn about how we handle data and make commitments to privacy and other regulations.</div> </div> <div class="header-nav__content-link"> <a href="/us/legal/esg" class="header-nav__content-link-text">Environmental, Social, and Governance</a> <div class="header-nav__content-link-desc">Learn how we apply our principles to positively impact our community.</div> </div> <div class="header-nav__content-link"> <a href="/us/support-services" class="header-nav__content-link-text">Support</a> <div class="header-nav__content-link-desc">Access the full range of Proofpoint support services.</div> </div> </div> </div> <div class="header-nav__menu-pane" data-content="platform_panel"> <div class="header-nav__content"> <h3 class="header-nav__content-title">Platform</h3> <div class="header-nav__content-heading">Discover the Proofpoint human-centric platform.</div> <a href=/us/platform class="global-elements__cta-button header-nav__content-button" > <span>Learn More</span> <div class="global-elements__cta-button--arrow-wrapper"></div> </a> <div class="header-nav__content-link"> <a href="/us/platform/nexus" class="header-nav__content-link-text">Proofpoint Nexus</a> <div class="header-nav__content-link-desc">Detection technologies to protect people and defend data.</div> </div> <div class="header-nav__content-link"> <a href="/us/platform/zen" class="header-nav__content-link-text">Proofpoint Zen</a> <div class="header-nav__content-link-desc">Protect and engage users wherever they work.</div> </div> </div> </div> <div class="header-nav__menu-pane" data-content="x_sch"> <div class="header-nav__content"> <div class="header-nav__content-title--search"> Search Proofpoint </div> <div class="header-nav__search"> <form class="header-nav__search-form"> <input type="text" class="header-nav__search-input" placeholder=""> <input type="submit" class="header-nav__search-button" val="Search"> </form> <div class="header-nav__search-sugg-title">Try searching for</div> <div class="header-nav__search-suggestions"> <a href="/us/search?content%5Bquery%5D=Email%20Security" class="header-nav__search-suggestion">Email Security</a> <a href="/us/search?content%5Bquery%5D=Phishing" class="header-nav__search-suggestion">Phishing</a> <a href="/us/search?content%5Bquery%5D=DLP" class="header-nav__search-suggestion">DLP</a> <a href="/us/search?content%5Bquery%5D=Email%20Fraud" class="header-nav__search-suggestion">Email Fraud</a> </div> </div> </div> </div> <div class="header-nav__menu-pane" data-content="x_lgn"> <div class="header-nav__content"> <div class="header-nav__content-title"> Select Product Login </div> <ul class="header-nav__logins"> <li class="header-nav__content-login"> <a href="https://proofpoint.my.site.com/community/s/" target="_blank">Support Log-in</a> </li> <li class="header-nav__content-login"> <a href="https://proofpointcybersecurityacademy.adobelearningmanager.com" target="_blank">Proofpoint Cybersecurity Academy</a> </li> <li class="header-nav__content-login"> <a href="https://digitalrisk.proofpoint.com/" target="_blank">Digital Risk Portal</a> </li> <li class="header-nav__content-login"> <a href="https://emaildefense.proofpoint.com/login.php" target="_blank">Email Fraud Defense</a> </li> <li class="header-nav__content-login"> <a href="https://threatintel.proofpoint.com/" target="_blank">ET Intelligence</a> </li> <li class="header-nav__content-login"> <a href="https://us1.proofpointessentials.com/app/login.php" target="_blank">Proofpoint Essentials</a> </li> <li class="header-nav__content-login"> <a href="https://proofpointcommunities.force.com/community" target="_blank">Sendmail Support Log-in</a> </li> </ul> </div> </div> <div class="header-nav__menu-pane" data-content="x_lng"> <div class="header-nav__content"> <div class="header-nav__content-title"> Select Language </div> <ul class="header-nav__language-links"> <li class="header-nav__language-link"> <a href="/us">English (Americas)</a> </li> <li class="header-nav__language-link"> <a href="/uk">English (Europe, Middle East, Africa)</a> </li> <li class="header-nav__language-link"> <a href="/au">English (Asia-Pacific)</a> </li> <li class="header-nav__language-link"> <a href="/es">Español</a> </li> <li class="header-nav__language-link"> <a href="/de">Deutsch</a> </li> <li class="header-nav__language-link"> <a href="/fr">Français</a> </li> <li class="header-nav__language-link"> <a href="/it">Italiano</a> </li> <li class="header-nav__language-link"> <a href="/br">Português</a> </li> <li class="header-nav__language-link"> <a href="/jp">日本語</a> </li> <li class="header-nav__language-link"> <a href="/kr">한국어</a> </li> </ul> </div> </div> </div> </div> <div class="layout-container"> <div> <div data-drupal-messages-fallback class="hidden"></div> </div> <main class="container" role="main"> <a id="main-content" tabindex="-1"></a> <section class="row"> <div class="layout-content"> <div> <div id="block-particle-content"> <article about="/us/blog/email-and-cloud-threats/tycoon-2fa-phishing-kit-mfa-bypass" class="node--type--blog-post node--view-mode--full node node-blog-full"> <div class="breadcrumbs"><div class="nav-crumbs"><div class="breadcrumb__item"><a href="/us/blog" class="breadcrum__item-link">Blog</a></div><div class="breadcrumb__item"><a href="/us/blog/email-and-cloud-threats" class="breadcrum__item-link">Email and Cloud Threats</a></div><div class="breadcrumb__item"> Unmasking Tycoon 2FA: A Stealthy Phishing Kit Used to Bypass Microsoft 365 and Google MFA  </div></div></div> <div class="blog-banner"> <div class="blog-banner__image"> <picture> <source srcset="/sites/default/files/styles/image_1920_750/public/blog-banners/pfpt-op-blog-banner-4.jpg.webp?itok=bkQ4OI-c 1x" media="screen and (min-width: 1440px)" type="image/webp" width="1920" height="750"/> <source srcset="/sites/default/files/styles/image_1024_400/public/blog-banners/pfpt-op-blog-banner-4.jpg.webp?itok=DedjuDYY 1x" media="screen and (min-width: 1024px)" type="image/webp" width="1024" height="400"/> <source srcset="/sites/default/files/styles/image_768_375/public/blog-banners/pfpt-op-blog-banner-4.jpg.webp?itok=R-uRSa8J 1x" media="screen and (min-width: 768px)" type="image/webp" width="768" height="375"/> <source srcset="/sites/default/files/styles/image_1920_750/public/blog-banners/pfpt-op-blog-banner-4.jpg.webp?itok=bkQ4OI-c 1x" media="screen and (min-width: 1440px)" type="image/webp" width="1920" height="750"/> <source srcset="/sites/default/files/styles/image_1024_400/public/blog-banners/pfpt-op-blog-banner-4.jpg.webp?itok=DedjuDYY 1x" media="screen and (min-width: 1024px)" type="image/webp" width="1024" height="400"/> <source srcset="/sites/default/files/styles/image_768_375/public/blog-banners/pfpt-op-blog-banner-4.jpg.webp?itok=R-uRSa8J 1x" media="screen and (min-width: 768px)" type="image/webp" width="768" height="375"/> <img loading="lazy" src="/sites/default/files/styles/image_768_300/public/blog-banners/pfpt-op-blog-banner-4.jpg.webp?itok=sGS1T_-A" width="768" height="300" alt="On Premises Security" typeof="foaf:Image" /> </picture> </div> <div class="blog-banner__gradient-overlay"></div> <div class="blog-banner__heading-wrap"> <h1 class="blog-banner__heading"> <span>Unmasking Tycoon 2FA: A Stealthy Phishing Kit Used to Bypass Microsoft 365 and Google MFA </span> </h1> </div> </div> <div class="blog-content"> <div class="blog-content__sharethis sharethis_toolbox sharethis_32x32_style"> <div class="blog-content__sharethis_label sharethis__label">Share with your network!</div> <div class="blog-content__sharethis_buttons sharethis_buttons"> <div class="sharethis-inline-share-buttons"></div> <span class="addthis_button_subscribe at300b UNCONVERTED" title=Subscribe> <span class="at-icon-wrapper block-subscribe-button__trigger block-subscribe-button__addthis"></span> </span> </div> </div> <div class="blog-content__metadata blog-content__metadata-author"> <span class="blog-content__date"> <time datetime="2024-05-09T13:00:11Z">May 09, 2024</time> </span> <span class="blog-content__author"> Laura Hamel , Garrett Guinivan, and Chris Dawson </span> </div> <div class="node-full__body blog-content__body"> <p paraeid="{2746f4e9-a0bb-4685-af22-69ba167f4c13}{154}" paraid="1212855573">Tycoon 2FA is a phishing-as-a-service (PhaaS) platform that was first seen in August 2023. Like many phish kits, it bypasses multifactor authentication (MFA) protections and poses a significant threat to users. Lately, Tycoon 2FA has been grabbing headlines because of its role in ongoing campaigns designed to target Microsoft 365 and Gmail accounts.&nbsp;&nbsp;</p> <p paraeid="{2746f4e9-a0bb-4685-af22-69ba167f4c13}{221}" paraid="1162135699">This blog post is a rundown of how these attacks work, how they’re evolving, what they look like in the real world—and how Proofpoint can help.&nbsp;</p> <h3 aria-level="3" paraeid="{2746f4e9-a0bb-4685-af22-69ba167f4c13}{227}" paraid="1699895305" role="heading">How it works&nbsp;</h3> <p aria-level="3" paraeid="{2746f4e9-a0bb-4685-af22-69ba167f4c13}{235}" paraid="567478444" role="heading">Tycoon 2FA operates as an <a data-entity-substitution="canonical" data-entity-type="node" data-entity-uuid="5a387409-64a9-407a-acab-eac0ffcada9b" href="/us/threat-reference/man-in-the-middle-attack-mitm" rel="noreferrer noopener" target="_blank" title="Adversary-in-the-Middle Attack">adversary-in-the-middle (AitM)</a> phishing kit. Its primary function is to harvest Microsoft 365 and Gmail session cookies. Attackers use these cookies to circumvent MFA access controls during subsequent authentication. That allows them to gain unauthorized access to a user’s accounts, systems and cloud services—even those that have additional security measures in place.&nbsp;</p> <h3 aria-level="3" paraeid="{d5518179-ef55-4ac0-b714-c06d2f267121}{35}" paraid="455187674" role="heading">What’s new&nbsp;</h3> <p paraeid="{d5518179-ef55-4ac0-b714-c06d2f267121}{43}" paraid="1018680372">In March 2024, the group behind Tycoon 2FA released an updated version of the kit. This new version boasts enhanced detection evasion capabilities that make it even harder for security systems to identify and block the kit.&nbsp;&nbsp;</p> <p paraeid="{d5518179-ef55-4ac0-b714-c06d2f267121}{57}" paraid="1551188513">Significant alterations to the kit’s JavaScript and HTML code have been implemented to increase its stealthiness and effectiveness. These changes include:&nbsp;</p> <ul> <li paraeid="{d5518179-ef55-4ac0-b714-c06d2f267121}{85}" paraid="649325203">Obfuscation techniques that scramble the code, making it difficult to understand&nbsp;</li> <li paraeid="{d5518179-ef55-4ac0-b714-c06d2f267121}{94}" paraid="2017504020">Dynamic code generation that alters the code each time it runs, thereby enabling it to evade signature-based detection systems&nbsp;</li> </ul> <h3 aria-level="3" paraeid="{d5518179-ef55-4ac0-b714-c06d2f267121}{117}" paraid="785849997" role="heading">Where to find it&nbsp;</h3> <p aria-level="3" paraeid="{d5518179-ef55-4ac0-b714-c06d2f267121}{125}" paraid="90513233" role="heading">The group behind Tycoon 2FA sells ready-to-use phishing pages for Microsoft 365 and Gmail via Telegram, a malicious cloud-based encrypted messaging service. Prices start at $120 for 10 days of access to the service, with variations based on top-level domains (TLDs). This business model broadens the potential pool of attackers because it allows less technically skilled bad actors to launch sophisticated <a data-entity-substitution="canonical" data-entity-type="node" data-entity-uuid="3d41a44d-bc21-401b-8912-4f84e4e683ce" href="/us/threat-reference/phishing" rel="noreferrer noopener" target="_blank" title="Phishing">phishing attacks</a>.&nbsp;</p> <h3 aria-level="3" paraeid="{d5518179-ef55-4ac0-b714-c06d2f267121}{167}" paraid="1489731050" role="heading">What an attack looks like&nbsp;</h3> <p paraeid="{d5518179-ef55-4ac0-b714-c06d2f267121}{175}" paraid="2049645824">Tycoon 2FA relies on attacker-controlled infrastructure to host the phishing webpage. Through the use of a “reverse proxy,” the platform allows the interception of victims’ entered credentials. The credentials are then relayed to the legitimate service for a transparent, successful login, prompting MFA requests. The resulting session cookies are relayed back to the <a data-entity-substitution="canonical" data-entity-type="node" data-entity-uuid="bbc64481-40a5-4e6d-8db9-f727f356b3a4" href="/us/threat-reference/threat-actor" rel="noreferrer noopener" target="_blank" title="Threat Actor">threat actors</a>.&nbsp;&nbsp;</p> <p paraeid="{3ef51854-9e30-44f5-bf58-a8aac9f72b31}{6}" paraid="1345234117">The stolen session credentials allow the attackers to bypass a company’s MFA protection if they remain active. This gives them unauthorized access to the user’s account.&nbsp;</p> <h3 aria-level="3" paraeid="{3ef51854-9e30-44f5-bf58-a8aac9f72b31}{16}" paraid="1723793800" role="heading">Real-world examples&nbsp;</h3> <p paraeid="{3ef51854-9e30-44f5-bf58-a8aac9f72b31}{24}" paraid="229968089">Since December 2023, Proofpoint has observed phishing landing pages that use Tycoon 2FA to facilitate <a data-entity-substitution="canonical" data-entity-type="node" data-entity-uuid="b8d75393-714c-4d80-9662-80f4c02efedc" href="/us/threat-reference/multifactor-authentication" rel="noreferrer noopener" target="_blank" title="Multifactor Authentication">MFA</a> token theft and bypass.&nbsp;</p> <p paraeid="{3ef51854-9e30-44f5-bf58-a8aac9f72b31}{55}" paraid="988714990"><img alt="TAP Dashboard Campaign Snapshot from December campaigns" data-entity-type="file" data-entity-uuid="990fce04-3ce6-4e27-8108-02cda69a70b1" height="471" src="/sites/default/files/inline-images/Screenshot%202024-05-08%20at%202.48.54%20PM.png" width="1291" loading="lazy"></p> <p paraeid="{3ef51854-9e30-44f5-bf58-a8aac9f72b31}{62}" paraid="541729546"><em>Proofpoint TAP Dashboard campaign snapshot from December campaigns.&nbsp;</em></p> <p paraeid="{3ef51854-9e30-44f5-bf58-a8aac9f72b31}{80}" paraid="1473699676"><img alt="Forensics Snapshot showcasing our ET Rules which detect the Tycoon Landing Pages " data-entity-type="file" data-entity-uuid="a309cb64-67c9-4bad-8a79-a2d24e5e1584" height="751" src="/sites/default/files/inline-images/Screenshot%202024-05-08%20at%202.50.01%20PM.png" width="1221" loading="lazy"></p> <p paraeid="{3ef51854-9e30-44f5-bf58-a8aac9f72b31}{91}" paraid="642896548"><em>A forensics snapshot that showcases our Emerging Threats rules, which detect the Tycoon 2FA landing pages.&nbsp;&nbsp;</em></p> <p><img alt="QR code lure tycoon threat" data-entity-type="file" data-entity-uuid="01dccda0-53ae-423c-b790-57c05bb95b4b" height="387" src="/sites/default/files/inline-images/Screenshot%202024-05-08%20at%202.50.58%20PM.png" width="914" loading="lazy"></p> <p><img alt="Voicemail lure tycoon threat" data-entity-type="file" data-entity-uuid="9e89633e-0179-45fc-adf4-0d04ef7f9909" height="259" src="/sites/default/files/inline-images/Screenshot%202024-05-08%20at%202.51.15%20PM.png" width="1162" loading="lazy"></p> <p paraeid="{3ef51854-9e30-44f5-bf58-a8aac9f72b31}{153}" paraid="1605195037"><em>QR code and voicemail lure examples for the Tycoon 2FA threats that were seen in late 2023.&nbsp;</em></p> <p paraeid="{3ef51854-9e30-44f5-bf58-a8aac9f72b31}{185}" paraid="914505067"><img alt="Figure 5" data-entity-type="file" data-entity-uuid="46e98df3-9a33-4c79-a2d0-a89baefe75ef" height="423" src="/sites/default/files/inline-images/Screenshot%202024-05-08%20at%202.52.39%20PM.png" width="924" loading="lazy"></p> <p paraeid="{3ef51854-9e30-44f5-bf58-a8aac9f72b31}{199}" paraid="1410989284"><em>In the next steps of the attack chain, the user is directed to a CAPTCHA landing page and then to a final landing page that the attackers use to harvest credentials.&nbsp;</em></p> <p paraeid="{3ef51854-9e30-44f5-bf58-a8aac9f72b31}{233}" paraid="946076269"><img alt="Figure 6" data-entity-type="file" data-entity-uuid="515c64d5-bb4a-4e9a-8da4-8225803924e7" height="636" src="/sites/default/files/inline-images/Screenshot%202024-05-08%20at%202.53.47%20PM.png" width="1061" loading="lazy"></p> <p paraeid="{3ef51854-9e30-44f5-bf58-a8aac9f72b31}{243}" paraid="102487241"><em>Proofpoint PTIS portal Threat Tippers around Tycoon 2FA phish threats that were curated for security awareness and training teams and end users.&nbsp;</em></p> <p paraeid="{044e415c-4d4f-4c5e-904b-b84bfe158ffe}{16}" paraid="2056541320"><img alt="PSAT Portal Snapshot showcasing Threat Alerts around Tycoon Phish Threats (Bonus-Themed and Wordpress Lures)" data-entity-type="file" data-entity-uuid="3437ea68-a177-4a60-8160-22b8ec8767a7" height="508" src="/sites/default/files/inline-images/Screenshot%202024-05-08%20at%202.54.44%20PM.png" width="1141" loading="lazy"></p> <p paraeid="{044e415c-4d4f-4c5e-904b-b84bfe158ffe}{23}" paraid="1646188548"><em>A PSAT portal snapshot that showcases Threat Alerts around Tycoon 2FA phish threats (bonus-themed and WordPress lures).&nbsp;</em></p> <p paraeid="{044e415c-4d4f-4c5e-904b-b84bfe158ffe}{77}" paraid="309830878">The lures the attackers use include the following.&nbsp;</p> <ul> <li paraeid="{044e415c-4d4f-4c5e-904b-b84bfe158ffe}{91}" paraid="1877911928">Malicious links in emails to fake authentication landing pages&nbsp;</li> <li paraeid="{044e415c-4d4f-4c5e-904b-b84bfe158ffe}{102}" paraid="986553453">Voicemail-themed threats&nbsp;</li> <li paraeid="{044e415c-4d4f-4c5e-904b-b84bfe158ffe}{111}" paraid="642531131">Attached PDFs with QR codes that lead to phishing landing pages&nbsp;</li> </ul> <p paraeid="{044e415c-4d4f-4c5e-904b-b84bfe158ffe}{124}" paraid="2050082875">These lures are designed to trick users into providing their login credentials and sensitive information.&nbsp;</p> <p paraeid="{044e415c-4d4f-4c5e-904b-b84bfe158ffe}{140}" paraid="1243407766">In the threats Proofpoint has seen, lure themes have frequently been related to company bonuses, payroll increases and bogus WordPress updates. However, it is important to note that since this is PhaaS, multiple actors likely use the platform. And that means the lures and landing pages likely extend far beyond what we have observed so far.&nbsp;</p> <h3 aria-level="3" paraeid="{044e415c-4d4f-4c5e-904b-b84bfe158ffe}{188}" paraid="246289517" role="heading">How Proofpoint detects threats like Tycoon 2FA&nbsp;</h3> <p paraeid="{044e415c-4d4f-4c5e-904b-b84bfe158ffe}{202}" paraid="676246054">Tycoon 2FA has received considerable attention recently. But Proofpoint has been detecting and blocking activity associated with a range of reverse proxy services for some time. That includes Evilginx and <a data-entity-substitution="canonical" data-entity-type="node" data-entity-uuid="200e7331-d5f2-4337-9972-8354ca5bf5b5" href="/us/blog/email-and-cloud-threats/defending-against-evilproxy-phishing-toolkit" rel="noreferrer noopener" target="_blank" title="Cybersecurity Stop of the Month: Defending Against the EvilProxy Phishing Toolkit and Cloud Account Takeover">EvilProxy</a>.&nbsp;&nbsp;</p> <p paraeid="{044e415c-4d4f-4c5e-904b-b84bfe158ffe}{235}" paraid="1547749303">Many bad actors continue to use simpler phish kits that are not designed to <a data-entity-substitution="canonical" data-entity-type="node" data-entity-uuid="b53e4e73-b8ab-4c50-8cd1-d9fe08b728ad" href="/us/blog/cloud-security/technical-deep-dive-vulnerabilities-bypass-multi-factor-authentication-microsoft" rel="noreferrer noopener" target="_blank" title="Technical Deep Dive: MFA Bypass Attacks &amp; How to Protect Yourself">bypass MFA</a>. But the use of kits that can steal session tokens is on the rise among phishing actors and initial access brokers (IAB). That trend is creating an urgent need for defenders to amplify detection, remediation and human risk management in this space.&nbsp;</p> <p paraeid="{e796df35-bbcd-4d82-a731-08e649c2a1ac}{27}" paraid="1682572787">Proofpoint has a unique combination of behavioral artificial intelligence (AI), analytics and deep threat intelligence, and a security awareness solution that enables a defense-in-depth approach against malicious tools like Tycoon 2FA.&nbsp;</p> <ul> <li paraeid="{e796df35-bbcd-4d82-a731-08e649c2a1ac}{65}" paraid="15018990"><strong>Pre-delivery AI-powered detection.</strong> <a data-entity-substitution="canonical" data-entity-type="node" data-entity-uuid="d21b6ec1-2dc1-434a-a499-0bb8723d1261" href="/us/threat-reference/artificial-intelligence" rel="noreferrer noopener" target="_blank" title="Artificial Intelligence">AI</a>- and <a data-entity-substitution="canonical" data-entity-type="node" data-entity-uuid="96a94b2f-37ac-4d10-8a21-1213df6c8138" href="/us/threat-reference/machine-learning" rel="noreferrer noopener" target="_blank" title="Machine Learning">machine learning</a>-driven behavioral analytics and URL sandbox identify and block Tycoon 2FA landing pages and phishing activity.&nbsp;</li> <li paraeid="{e796df35-bbcd-4d82-a731-08e649c2a1ac}{100}" paraid="1241560056"><strong>Global threat intelligence visibility.</strong> Proofpoint Threat Intelligence provides businesses with insights into threat intelligence infrastructure to identify known and emerging threats that are blocked at the edge.&nbsp;</li> </ul> <h3 paraeid="{e796df35-bbcd-4d82-a731-08e649c2a1ac}{153}" paraid="1520414708">Empower user behavior change&nbsp;</h3> <p paraeid="{e796df35-bbcd-4d82-a731-08e649c2a1ac}{171}" paraid="504024282">Our security awareness uses real-world examples, like MFA bypass technologies, drawn from Proofpoint Threat Intelligence. This approach equips end users with the knowledge they need to recognize and respond appropriately to potential threats.&nbsp;&nbsp;</p> <p paraeid="{e796df35-bbcd-4d82-a731-08e649c2a1ac}{213}" paraid="1290506802">If you are concerned about the threat Tycoon 2FA and similar phishing kits pose to your business and users, you can reach out to Proofpoint to get further details and threat-hunting tips from our threat researchers. To learn more about how we can help you defend against these and other phishing threats, check out our <a data-entity-substitution="canonical" data-entity-type="node" data-entity-uuid="abc81c1f-1a1f-447e-87b7-43bf6a8e0b1b" href="/us/products/mitigate-human-risk" rel="noreferrer noopener" target="_blank" title="Mitigate Human Risk">security awareness training solutions</a> or <a data-entity-substitution="canonical" data-entity-type="node" data-entity-uuid="6bc75608-952f-4867-8cc7-9d004280fdee" href="/us/contact" rel="noreferrer noopener" target="_blank" title="Contact Us">contact us</a>.&nbsp;</p> </div> </div> <div class="blog__content-pager"> <div class="content-pager"> <div class="content-pager__items-wrapper"> <div class="content-pager__items"> <div class="content-pager__item content-pager__item--prev"> <a href="/us/blog/email-and-cloud-threats/spoofed-email-greater-impersonation-risk" hreflang="en">Previous Blog Post</a> </div> <div class="content-pager__item content-pager__item--next"> <a href="/us/blog/email-and-cloud-threats/impersonation-attacks-target-supply-chain" hreflang="en">Next Blog Post</a> </div> </div> </div> </div> </div> <div class="subscribe-block blog-subscribe" data-animate="true"> <div class="subscribe-block__inner blog-subscribe__inner"> <div class="subscribe-block__copy"> <h3 class="subscribe-block__heading"> Subscribe to the Proofpoint Blog </h3> </div> <div class="subscribe-block__form"> <div class="mk-form"> <div class="mk-form__form-container"> <script type="IN/Form2" data-data-form="mktoForm_19277" data-field-firstname="FirstName" data-field-lastname="LastName" data-field-email="Email" data-field-company="Company" data-field-title="Title" data-field-state="State" data-field-country="Country" ></script> <form id="mktoForm_19277" data-mkto-id="19277" data-mkto-base="//app-abj.marketo.com" data-munchkin-id="309-RHV-619" data-submit-text="" data-redirect-link="" data-prefill="" data-event-label="" data-lang-code="us" data-validate-email="1" class="mk-form__form marketo-form-block__form" ></form> </div> </div> </div> </div> </div> </article> </div> </div> </div> </section> </main> </div> <div class="footer-v3" data-animate="true"> <div class="footer-v3__inner"> <nav class="footer-v3__nav"> <div class="footer-v3__nav-wrapper"> <div class="footer-v3__nav-heading">Products</div> <ul class="footer-v3__nav-collapsible"> <li><a href="/us/products/protect-people">Protect People</a></li> <li><a href="/us/products/defend-data">Defend Data</a></li> <li><a href="/us/products/mitigate-human-risk">Mitigate Human Risk</a></li> <li><a href="/us/products/premium-services">Premium Services</a></li> </ul> </div> <div class="footer-v3__nav-wrapper"> <div class="footer-v3__nav-heading">Get Support</div> <ul class="footer-v3__nav-collapsible"> <li><a href="https://proofpoint.my.site.com/community/s/" target="_blank">Product Support Login</a></li> <li><a href="/us/support-services">Support Services</a></li> <li><a href="https://ipcheck.proofpoint.com" target="_blank">IP Address Blocked?</a></li> </ul> </div> <div class="footer-v3__nav-wrapper"> <div class="footer-v3__nav-heading">Connect with Us</div> <ul class="footer-v3__nav-collapsible"> <li><a href="tel:+1-408-517-4710" class="icon-phone-ppoint">+1-408-517-4710</a></li> <li><a href="/us/events">Attend an Event</a></li> <li><a href="/us/contact">Contact Us</a></li> <li><a href="/us/free-demo-request">Free Demo Request</a></li> </ul> </div> <div class="footer-v3__nav-wrapper"> <div class="footer-v3__nav-heading">More</div> <ul class="footer-v3__nav-collapsible"> <li><a href="/us/company/about">About Proofpoint</a></li> <li><a href="/us/why-proofpoint">Why Proofpoint</a></li> <li><a href="/us/company/careers">Careers</a></li> <li><a href="/us/leadership-team">Leadership Team</a></li> <li><a href="/us/newsroom">News Center</a></li> <li><a href="/us/legal/trust">Privacy and Trust</a></li> </ul> </div> </nav> <div class="footer-v3__bottom-wrap"> <section class="footer-v3__bottom"> <div class="footer-v3__logo"> <a href="/us" class="footer-v3__logo-link"> <div class="footer-v3__logo-image"></div> </a> <div class="footer-v3__bottom-copyright-info">&copy; 2024. All rights reserved. </div> </div> <div class="footer-v3__bottom-copyright"> <a class="footer-v3__bottom-copyright-info" href="/us/legal/license">Terms and conditions</a> <a class="footer-v3__bottom-copyright-info" href="/us/legal/privacy-policy">Privacy Policy</a> <a class="footer-v3__bottom-copyright-info" href="/us/sitemap">Sitemap</a> </div> <ul class="footer-v3__bottom-social-menu"> <li> <a href="http://www.facebook.com/proofpoint" class="icon-facebook" target="_blank"></a> </li> <li> <a href="http://www.twitter.com/proofpoint" class="icon-twitter" target="_blank"></a> </li> <li> <a href="https://www.linkedin.com/company/proofpoint" class="icon-linkedin" target="_blank"></a> </li> <li> <a href="https://www.youtube.com/channel/UCIvtJgsrUzFo90NKeiVozhQ" class="icon-youtube-play" target="_blank"></a> </li> <li> <a href="https://www.instagram.com/proofpoint" class="icon-instagram" target="_blank"></a> </li> </ul> </section> </div> </div> </div> </div> <script type="text/javascript">document.write(unescape("%3Cscript src='//munchkin.marketo.net/munchkin.js' type='text/javascript'%3E%3C/script%3E")); </script> <script>Munchkin.init('309-RHV-619');</script><div class="element-invisible" style="clear:both;"><!-- Google Code for Remarketing Tag --> <!-------------------------------------------------- Remarketing tags may not be associated with personally identifiable information or placed on pages related to sensitive categories. See more information and instructions on how to setup the tag on: http://google.com/ads/remarketingsetup ---------------------------------------------------> <script type="text/javascript"> /* <![CDATA[ */ var google_conversion_id = 950296937; var google_custom_params = window.google_tag_params; var google_remarketing_only = true; /* ]]> */ </script> <script type="text/javascript" src="//www.googleadservices.com/pagead/conversion.js"> </script> <noscript> <div style="display:inline;"> <img height="1" width="1" style="border-style:none;" alt="" src="//googleads.g.doubleclick.net/pagead/viewthroughconversion/950296937/?value=0&amp;guid=ON&amp;script=0"/> </div> </noscript></div> </div> <div id="flyout-container"></div> <script type="application/json" data-drupal-selector="drupal-settings-json">{"path":{"baseUrl":"\/","pathPrefix":"us\/","currentPath":"node\/135546","currentPathIsAdmin":false,"isFront":false,"currentLanguage":"en"},"pluralDelimiter":"\u0003","suppressDeprecationErrors":true,"ajaxPageState":{"libraries":"eJxVj0GOBCEIRS9Uxkxm07eZgE2rKQWD2EnffqxadFkbEh7w_6eBWg6FPBYJu-sDe9CM5HCYCW9tmcd7dy0vXAmeQUfFfsEgbMTmGkTSFety-RIxUvf-vVAsglAcFarzfBGMIrGQe8mNpmk9FRjed5Z5Cb48eDy8tfaXfx7sC3AcM597klEw0WNSQXcy8XVwSHvmg3UCDckPy6WffQKdske1lE9kaQb2BsiAeLp_mUhB0K1_ulH1CJ3-Ae6OlH4","theme":"particle","theme_token":null},"ajaxTrustedUrl":[],"vwo":{"id":767242,"timeout_library":2500,"timeout_setting":2000,"usejquery":"false","testnull":null},"pp_i18n":{"language":"us"},"instantsearch":{"indexName":"content","path":"us\/search"},"user":{"uid":0,"permissionsHash":"26dd96d39e445e838e5f0382a0a4240ea0629de7ad59c3778594246405e2ccf5"}}</script> <script src="/sites/default/files/js/js_bCeVjCOT9dqrw3uyA4tEcspKLMqc2aT3b8QrYsXP3eI.js?scope=footer&amp;delta=0&amp;language=en&amp;theme=particle&amp;include=eJxdkMFuAyEMRH9oEap66d9ENnEALdjImEj9-7K5wPZiycNoxo_WHvnrh30BjgMiuScZBRM9WntU0JNMfB0c0pn50jqBhuSH5dKv3RJV8iZSEPTov92oeoRORwO1HAr5IEqbFZABMXNcjigSC7mXsPWlvkSM1L2_P70JlPxnWsqbC4vEvYuN2FybLHozhdP1gT1oRnI4zITXeyJ43i5CnUrQUfFf1QpZ-pZ79dxjJwHDe2MtglAclfkZE_cP6VGUfg"></script> <script src="https://geoip-js.com/js/apis/geoip2/v2.1/geoip2.js"></script> <script src="/sites/default/files/js/js_DA7GHFg6Iz1O22c58zPl-nNTEwx5y7RuyKjesK1mXJI.js?scope=footer&amp;delta=2&amp;language=en&amp;theme=particle&amp;include=eJxdkMFuAyEMRH9oEap66d9ENnEALdjImEj9-7K5wPZiycNoxo_WHvnrh30BjgMiuScZBRM9WntU0JNMfB0c0pn50jqBhuSH5dKv3RJV8iZSEPTov92oeoRORwO1HAr5IEqbFZABMXNcjigSC7mXsPWlvkSM1L2_P70JlPxnWsqbC4vEvYuN2FybLHozhdP1gT1oRnI4zITXeyJ43i5CnUrQUfFf1QpZ-pZ79dxjJwHDe2MtglAclfkZE_cP6VGUfg"></script> <script src="//munchkin.marketo.net/munchkin.js"></script> <script src="/sites/default/files/js/js_Q_hAq3KoriT4uxdUnA3XDouviRgbwswFyj5MCBnzVHU.js?scope=footer&amp;delta=4&amp;language=en&amp;theme=particle&amp;include=eJxdkMFuAyEMRH9oEap66d9ENnEALdjImEj9-7K5wPZiycNoxo_WHvnrh30BjgMiuScZBRM9WntU0JNMfB0c0pn50jqBhuSH5dKv3RJV8iZSEPTov92oeoRORwO1HAr5IEqbFZABMXNcjigSC7mXsPWlvkSM1L2_P70JlPxnWsqbC4vEvYuN2FybLHozhdP1gT1oRnI4zITXeyJ43i5CnUrQUfFf1QpZ-pZ79dxjJwHDe2MtglAclfkZE_cP6VGUfg"></script> <script src="/themes/custom/proofpoint/apps/drupal/../../dist/app-drupal/assets/js/app.js?q=-iReOHcPPvM&amp;v=1"></script> <script src="/sites/default/files/js/js_2LYNA9Zu5KE51oXU7U2qX9zbS5cCqO7wzxelxAEWhjk.js?scope=footer&amp;delta=6&amp;language=en&amp;theme=particle&amp;include=eJxdkMFuAyEMRH9oEap66d9ENnEALdjImEj9-7K5wPZiycNoxo_WHvnrh30BjgMiuScZBRM9WntU0JNMfB0c0pn50jqBhuSH5dKv3RJV8iZSEPTov92oeoRORwO1HAr5IEqbFZABMXNcjigSC7mXsPWlvkSM1L2_P70JlPxnWsqbC4vEvYuN2FybLHozhdP1gT1oRnI4zITXeyJ43i5CnUrQUfFf1QpZ-pZ79dxjJwHDe2MtglAclfkZE_cP6VGUfg"></script> <script src="//app-abj.marketo.com/js/forms2/js/forms2.min.js"></script> </body> </html>