A new wave of phishing campaigns linked to the Tycoon2FA group is actively targeting Microsoft 365 users, as uncovered by security researchers from SpiderLabs and Trustwave.
The sophisticated operation capitalizes on a peculiar misuse of malformed URLs containing a backslash character (e.g., https:\\) a subtlety that enables the threat actors to evade traditional email security filters and URL-based detection mechanisms.
Despite the non-standard format, most modern web browsers are still able to resolve and redirect users to the intended malicious pages, thus increasing the likelihood of successful credential harvesting attacks.
Sophisticated Tactics to Circumvent Detection
The Tycoon2FA operation, associated with the phishing-as-a-service (PhaaS) kit known as “Tycoon,” exploits the way browsers interpret malformed URLs, specifically those using a backslash instead of a forward slash after the protocol identifier.
This technique is particularly dangerous since many security layers either fail to parse or outright ignore URLs that deviate from standard RFC specifications.
Email gateways and filters may subsequently allow phishing messages carrying these URLs to pass through, increasing their reach and potential impact.
The campaigns utilize a variety of compromised and abused infrastructure, including Azure Front Door, Cloudflare Workers, and alternative domains crafted to impersonate legitimate Microsoft or Google services.
Victims who click on these links are redirected to highly convincing phishing sites designed to mimic Microsoft 365 login portals.
Once users input their credentials, attackers harvest this sensitive information, which can be used for further corporate espionage, lateral movement, or secondary ransomware attacks.
The Rising Threat of PhaaS and 2FA Phishing Kits
This campaign highlights the evolving sophistication of PhaaS operators such as Tycoon2FA, which not only provide ready-to-use phishing kits but also regularly update their capabilities to include anti-detection mechanisms and two-factor authentication (2FA) bypass modules.
These kits are often licensed or sold to other cybercriminal groups, amplifying their reach and impact.
The involvement of infrastructure like Azure and Cloudflare indicates that attackers are also leveraging reputable cloud-based services to mask their activities and avoid blacklisting.
According to the Report, Organizations are strongly urged to enhance their monitoring capabilities for unusual URL patterns in inbound emails and to educate end-users about the dangers of clicking suspicious or malformed links, even if they appear to come from trusted sources.
Given that browsers can “fix” malformed links automatically, traditional user training about verifying URLs in the address bar may not be sufficient to prevent compromise.
Security professionals should continuously update indicators of compromise (IOCs) and implement advanced detection capabilities that can recognize and quarantine messages containing these obscure URL formats.
As PhaaS platforms and their affiliates continue to innovate, staying ahead of new techniques remains a critical priority for defending enterprise environments.
Indicators of Compromise (IOCs)
| IOC URL | Description |
|---|---|
| hxxps[://]microsftmailonlinenyukmvdx2t[.]lgotsna[.]es/ | Typo-squatted domain targeting M365 users |
| hxxps[://]googleads[.]g[.]doubleclick[.]net/pcs/click?adurl=%68%74%74%70%73%3A%2F%2F%34[…]%6E%65%74# | Redirect via encoded ad link |
| hxxps[://]783784387348438743-fkhghccdfzc8e8cd[.]z02[.]azurefd[.]net/ | Azure-hosted phishing page |
| hxxps[://]4839794398349343-g4eydqdkguhcdvgs[.]z02[.]azurefd[.]net | Azure-hosted credential harvesting site |
| hxxps[://]sdnxk0t5-q[.]alt-bq-4o27qr9a[.]workers[.]dev | Cloudflare Workers disposable phishing |
| hxxps[://]9kp6wgtaqr[.]cloudflareemail2109399[.]workers[.]dev | Cloudflare Workers disposable phishing |
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant updates
