Spoofing a corporate login for credential phishing with Tycoon 2FA

Sublime’s Attack Spotlight series is designed to keep you informed of the email threat landscape by showing you real, in-the-wild attack samples, describing adversary tactics and techniques, and explaining how they’re detected. These attacks can be prevented with a free Sublime account.

EMAIL PROVIDER: Microsoft 365

ATTACK TYPE: Credential Phishing

Tycoon 2FA phishing as a service (PhaaS) attacks are a constant. PhaaS providers sell attackers the tools and templates they need to quickly spin up and modify large scale phishing campaigns. In the case of Tycoon 2FA, the campaigns are adversary in the middle (AITM) phishing attacks that typically spoof generic authorization pages. But we’ve also been seeing Tycoon 2FA used to clone company-specific logins.

A recent tailored phishing attack detected by Sublime started with an email message with the subject “IMPORTANT : [Company] Amended Employee Policies for 2025” and an attachment named “Revised_Employee_Digital_HB2725.pdf”.

If the target opened the PDF, they saw an abbreviated employee handbook that featured “updates” in red and then provided a QR code in order to review the entire handbook within SharePoint.

Table of contents with “updates” in red.
QR code to access the “employee handbook”

If the target scanned the QR code, they were taken to a Cloudflare Turnstile page to verify the user is human.

Cloudflare Turnstile, a hallmark of Tycoon 2FA

Next, the user is taken to a “play voicemail” page in Sharepoint. This page seems out of place because it is. Tycoon 2FA lets their customers (bad actors) spin up and launch new attacks quickly. In the case of this attack, it appears that the actor has recycled a template from a different attack involving a fake voicemail notification in order to launch this new one. Alternatively, the template they’re using was originally built for a fake voicemail notification scam.

Fake voicemail accidentally recycled from a different attack or attack template

If the target clicks the play button, they are then redirected to an AITM login page that is a clone of their expected login page, featuring the company’s logo and their custom background. Note that the page title is “Voice Mail” as the page code was recycled from another attack.

AITM imitation login page. We have redacted the company’s logo and blurred their custom background.

As this is an AITM attack, this spoof page will accept credentials and then pass them to the real login page. The AITM login will then imitate the response that it receives from the real login, either letting the target into the portal or returning an “incorrect password” message.

While this attack is fairly standard for Tycoon 2FA, it shows just how easily an attacker can spoof a company’s internal login by utilizing the correct branding.

Detection signals

Sublime's AI-powered detection engine prevented this attack. Some of the top signals for this attack were:

  • QR code with phishing disposition: The QR code does not link to any organizational domains.
  • Empty message body: The message was blank while the subject and attachment contained HR indicators.
  • Newly registered sender domain: The sender's domain is suspicious because it was registered in the past 14 days. Registering new domains is a common tactic used to conduct attacks.

See the full Message Query Language (MQL) that detected this attack in these publicly available Detection Rules in our Core Feed: QR code with phishing disposition in img or pdf and QR code with suspicious indicators.

Keep an eye out for credential phishing

PhaaS providers like Tycoon 2FA make it easy for attackers to develop and iterate on novel attacks. That’s why the most effective email security platforms are adaptive, using AI and machine learning to stay ahead of the latest tactics and techniques.

If you enjoyed this Attack Spotlight, be sure to check our blog every week for new blogs, subscribe to our RSS feed, or sign up for our monthly newsletter. Our newsletter covers the latest blogs, detections, product updates, and more.

Read more Attack Spotlights:

About the Author

About the Authors

Author headshot

Peter Djordjevic

Detection

Peter is an Email Security Analyst at Sublime. Having witnessed the devastating impact of phishing attacks firsthand in previous IT roles, he is passionate about empowering both organizations and individuals to strengthen their email security posture.

Get the latest

Sublime releases, detections, blogs, events, and more directly to your inbox.

You're now subscribed. Expect a monthly email from us in your inbox.
Oops! Something went wrong while submitting the form.