Christmas Tycoon

Starting from a Cisco Secure Email–wrapped phishing URL that redirected to a Tycoon phishing kit credential-harvesting site, the report fingerprints the kit’s infrastructure (AI chatbot fallback, banner hashes, recurring HTML titles) to pivot across providers and TLDs, clustering campaigns and uncovering ~1,900 unique, recently active domains. It highlights automated, template-based landing pages (e.g., “Finquick,” “Desio Copilot,” “VoltGrid,” “Flowguide,” “TimberCraft”), redirection overlap, possible DGA usage, and open directories—indicating a high-volume, scalable phishing operation relying on cloud/CDN hosting and infrastructure reuse.