Tycoon 2FA Phishing Kit Analysis

This report analyzes the Tycoon 2FA phishing kit, a sophisticated AiTM Phishing-as-a-Service active since August 2023 that bypasses MFA to steal Microsoft 365 and Gmail credentials and session tokens via reverse-proxied fake login pages. It details wide distribution channels (PDFs, SVGs, PPTs, emails, cloud hosting), multi-stage obfuscated JavaScript (base64, LZ-string, CryptoJS/AES, XOR), debugger and bot checks, C2 endpoints, and recommended mitigations such as user training, stronger MFA, and anti-phishing solutions.