Security analysts at Darktrace’s Security Operations Center (SOC) have identified a sophisticated phishing campaign utilizing Adversary-in-the-Middle (AiTM) tactics to compromise Software-as-a-Service (SaaS) accounts, bypassing even multi-factor authentication (MFA) defenses.
By exploiting legitimate collaboration platforms and advanced phishing kits such as Tycoon 2FA, attackers have demonstrated their ability to circumvent commonly accepted security controls and gain unauthorized access to sensitive enterprise environments.
Abuse of Trusted Services for Stealth Phishing
The campaign, initially flagged through anomalous activity on customer environments, leverages the project management tool Milanote as an initial attack vector.
Threat actors have weaponized Milanote’s legitimate email infrastructure to distribute phishing emails that closely mimic genuine business communications.
These emails, crafted with references to internal users and containing benign links alongside malicious payloads, are able to bypass traditional email security filters and lure recipients into credential harvesting traps.
The emails are sent from addresses like support@milanote.com but ultimately originate from attacker-controlled freemail accounts, further blurring the lines between legitimate and malicious correspondence.
Once a target interacts with the phishing link, they are redirected through layers of evasion-including Cloudflare Turnstile challenges designed to thwart automated scanning-ultimately landing on a convincingly crafted fake login page.
Here, user credentials and, crucially, session cookies and MFA tokens are intercepted in real time by AiTM kits like Tycoon 2FA or Mamba 2FA.
This method allows attackers to replay sessions on their own systems, fully bypassing the protection offered by MFA and enabling seamless account takeover regardless of password resets.
Real-World Impact: SaaS Account Compromise
Darktrace documented an incident in which nineteen internal users at a target organization received Milanote-themed phishing emails referencing a supposed “new agreement.”
Despite advanced user awareness training and security controls, one recipient engaged with the payload, resulting in their SaaS account being compromised within minutes.
Security systems recorded a rare, simultaneous login from the United States while the legitimate user operated from Germany, triggering both Darktrace and Microsoft 365’s conditional access policies.
Nonetheless, attackers, having captured valid authentication tokens, succeeded in passing MFA challenges and established persistent inbox control by creating email rules to delete correspondence related to Milanote-effectively hiding their tracks and preparing for further phishing activity.
Subsequent malicious activity included the unauthorized access and modification of email threads related to invoicing, a typical precursor to financial fraud or business email compromise (BEC) schemes.
These actions were performed from IP addresses associated with proxy and VPN services, further obfuscating the attackers’ identities.
The investigation revealed that this campaign was part of a broader, ongoing operation exploiting Milanote and AiTM phishing kits globally, with variants in multiple languages and increasingly sophisticated obfuscation techniques-such as disabling right-click functionality and preventing content copying on phishing sites.
The Tycoon 2FA phishing kit, distributed widely via Phishing-as-a-Service (PhaaS) models since mid-2023, exemplifies the rapidly advancing capabilities of today’s adversaries.
Despite successfully containing this particular incident, Darktrace emphasized the critical need for integrated, anomaly-based threat detection and automated response to contain such attacks within seconds.
The swift disabling of compromised accounts and the thorough investigation by SOC teams enabled the affected organizations to reset credentials, terminate malicious sessions, and recover from the breach.
The Darktrace findings underscore the reality that robust security technologies, including MFA, are no longer foolproof against determined attackers wielding AiTM phishing kits.
The abuse of reputable SaaS platforms as delivery mechanisms for such attacks makes the challenge even more acute.
A combination of advanced behavioral analytics and continuous user education is vital to staying ahead of adversaries who are rapidly evolving their tactics to defeat established security controls.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant updates
