ANY.RUN Exposes Tycoon 2FA’s Evolving Evasion Tactics to Beat Defenses in Corporate Phishing Attacks

DUBAI, DUBAI, UNITED ARAB EMIRATES, May 14, 2025 /EINPresswire.com/ -- ANY.RUN, a leading provider of interactive malware analysis and threat intelligence solutions, has released a detailed report on the evolution of Tycoon2FA, a phishing-as-a-service (PhaaS) kit targeting credentials of corporate clients of Microsoft 365.

𝐓𝐲𝐜𝐨𝐨𝐧𝟐𝐅𝐀: 𝐀𝐝𝐯𝐚𝐧𝐜𝐞𝐝 𝐚𝐧𝐝 𝐄𝐯𝐨𝐥𝐯𝐢𝐧𝐠 𝐄𝐯𝐚𝐬𝐢𝐨𝐧 𝐓𝐚𝐜𝐭𝐢𝐜𝐬

ANY.RUN’s research shows that Tycoon2FA has undergone significant updates over the past 6 months, incorporating a growing arsenal of evasion mechanisms. The newly introduced tactics help the threat evade endpoint protection, automated analysis, and corporate defenses. Key techniques include:

· 𝗖𝘂𝘀𝘁𝗼𝗺 𝗖𝗔𝗣𝗧𝗖𝗛𝗔 𝗜𝗺𝗽𝗹𝗲𝗺𝗲𝗻𝘁𝗮𝘁𝗶𝗼𝗻: Transitioning from Cloudflare Turnstile to custom HTML5 canvas-based CAPTCHAs with randomized elements, enhancing stealth and blocking automated detection.

· 𝗖𝗼𝗺𝗽𝗹𝗲𝘅 𝗝𝗮𝘃𝗮𝗦𝗰𝗿𝗶𝗽𝘁 𝗢𝗯𝗳𝘂𝘀𝗰𝗮𝘁𝗶𝗼𝗻: Employs invisible Unicode characters (e.g., Hangul Filler) and encryption-based obfuscation, leveraging JavaScript Proxy objects to delay execution and evade static analysis.

· 𝗔𝗱𝘃𝗮𝗻𝗰𝗲𝗱 𝗔𝗻𝘁𝗶-𝗗𝗲𝗯𝘂𝗴𝗴𝗶𝗻𝗴 𝗮𝗻𝗱 𝗕𝗿𝗼𝘄𝘀𝗲𝗿 𝗙𝗶𝗻𝗴𝗲𝗿𝗽𝗿𝗶𝗻𝘁𝗶𝗻𝗴: Detects debugging environments (e.g., Selenium), manipulates clipboard content, and uses browser fingerprinting to tailor attacks.

· 𝗟𝗲𝗴𝗶𝘁𝗶𝗺𝗮𝘁𝗲 𝗥𝗲𝘀𝗼𝘂𝗿𝗰𝗲 𝗔𝗯𝘂𝘀𝗲 𝗮𝗻𝗱 𝗥𝗲𝗱𝗶𝗿𝗲𝗰𝘁𝗶𝗼𝗻 𝗖𝗵𝗮𝗶𝗻𝘀: Utilizes legitimate CDNs for corporate logos and extended redirect chains to mask malicious infrastructure.

From basic obfuscation observed in October 2024 to recent additions like encryption-based obfuscation and custom fake page redirects noted in April and May 2025, Tycoon2FA’s continuous evolution underscores its ability to adapt and challenge even the most robust corporate defenses.

Read the full analysis on ANY.RUN’s Cybersecurity Blog.

𝐇𝐨𝐰 𝐀𝐍𝐘.𝐑𝐔𝐍 𝐇𝐞𝐥𝐩𝐬 𝐁𝐮𝐬𝐢𝐧𝐞𝐬𝐬𝐞𝐬 𝐂𝐨𝐮𝐧𝐭𝐞𝐫 𝐓𝐲𝐜𝐨𝐨𝐧𝟐𝐅𝐀 𝐀𝐭𝐭𝐚𝐜𝐤𝐬

ANY.RUN’s Interactive Sandbox equips SOC and DFIR teams with real-time analysis to detect and analyze Tycoon2FA campaigns. Businesses can extract Indicators of Compromise (IOCs), monitor phishing behaviors, and map attack tactics using the MITRE ATT&CK framework.

𝐀𝐛𝐨𝐮𝐭 𝐀𝐍𝐘.𝐑𝐔𝐍

ANY.RUN is a trusted partner for over 15,000 organizations in finance, healthcare, retail, technology, and beyond, delivering advanced malware analysis and threat intelligence products. Its cloud-based Interactive Sandbox, Threat Intelligence Lookup, and TI Feeds enable businesses to analyze, investigate, and detect the latest malware and phishing campaigns to streamline triage, response, and proactive security.

The ANY.RUN team
ANYRUN FZCO
+1 657-366-5050
email us here
Visit us on social media:
LinkedIn

Twitter