On this page:
Attack Spotlight
March 27, 2025
Spoofing a corporate login for credential phishing with Tycoon 2FA
Sublime’s Attack Spotlight series is designed to keep you informed of the email threat landscape by showing you real, in-the-wild attack samples, describing adversary tactics and techniques, and explaining how they’re detected. These attacks can be prevented with a free Sublime account.
EMAIL PROVIDER: Microsoft 365
ATTACK TYPE: Credential Phishing
Tycoon 2FA phishing as a service (PhaaS) attacks are a constant. PhaaS providers sell attackers the tools and templates they need to quickly spin up and modify large scale phishing campaigns. In the case of Tycoon 2FA, the campaigns are adversary in the middle (AITM) phishing attacks that typically spoof generic authorization pages. But we’ve also been seeing Tycoon 2FA used to clone company-specific logins.
A recent tailored phishing attack detected by Sublime started with an email message with the subject “IMPORTANT : [Company] Amended Employee Policies for 2025” and an attachment named “Revised_Employee_Digital_HB2725.pdf”.
If the target opened the PDF, they saw an abbreviated employee handbook that featured “updates” in red and then provided a QR code in order to review the entire handbook within SharePoint.
If the target scanned the QR code, they were taken to a Cloudflare Turnstile page to verify the user is human.
Next, the user is taken to a “play voicemail” page in Sharepoint. This page seems out of place because it is. Tycoon 2FA lets their customers (bad actors) spin up and launch new attacks quickly. In the case of this attack, it appears that the actor has recycled a template from a different attack involving a fake voicemail notification in order to launch this new one. Alternatively, the template they’re using was originally built for a fake voicemail notification scam.
If the target clicks the play button, they are then redirected to an AITM login page that is a clone of their expected login page, featuring the company’s logo and their custom background. Note that the page title is “Voice Mail” as the page code was recycled from another attack.
As this is an AITM attack, this spoof page will accept credentials and then pass them to the real login page. The AITM login will then imitate the response that it receives from the real login, either letting the target into the portal or returning an “incorrect password” message.
While this attack is fairly standard for Tycoon 2FA, it shows just how easily an attacker can spoof a company’s internal login by utilizing the correct branding.
Sublime's AI-powered detection engine prevented this attack. Some of the top signals for this attack were:
See the full Message Query Language (MQL) that detected this attack in these publicly available Detection Rules in our Core Feed: QR code with phishing disposition in img or pdf and QR code with suspicious indicators.
PhaaS providers like Tycoon 2FA make it easy for attackers to develop and iterate on novel attacks. That’s why the most effective email security platforms are adaptive, using AI and machine learning to stay ahead of the latest tactics and techniques.
If you enjoyed this Attack Spotlight, be sure to check our blog every week for new blogs, subscribe to our RSS feed, or sign up for our monthly newsletter. Our newsletter covers the latest blogs, detections, product updates, and more.
Read more Attack Spotlights:
Sublime releases, detections, blogs, events, and more directly to your inbox.
The latest research, attack spotlights, and product updates.
Experience Sublime’s adaptable email security platform and take control of your email environment today.