Tycoon 2FA credential phishing with cloned internal employee login

Sublime’s Attack Spotlight series is designed to keep you informed of the email threat landscape by showing you real, in-the-wild attack samples, describing adversary tactics and techniques, and explaining how they’re detected. These attacks can be prevented with a free Sublime account.

EMAIL PROVIDER: Microsoft 365

ATTACK TYPE: Credential Phishing

Tycoon 2FA phishing as a service (PhaaS) attacks are a constant. PhaaS providers sell attackers the tools and templates they need to quickly spin up and modify large scale phishing campaigns. In the case of Tycoon 2FA, the campaigns are adversary in the middle (AITM) phishing attacks that typically spoof generic authorization pages. But we’ve also been seeing Tycoon 2FA used to clone company-specific logins.

A recent tailored phishing attack detected by Sublime started with an email message with the subject “IMPORTANT : [Company] Amended Employee Policies for 2025” and an attachment named “Revised_Employee_Digital_HB2725.pdf”.

If the target opened the PDF, they saw an abbreviated employee handbook that featured “updates” in red and then provided a QR code in order to review the entire handbook within SharePoint.

If the target scanned the QR code, they were taken to a Cloudflare Turnstile page to verify the user is human.

Next, the user is taken to a “play voicemail” page in Sharepoint. This page seems out of place because it is. Tycoon 2FA lets their customers (bad actors) spin up and launch new attacks quickly. In the case of this attack, it appears that the actor has recycled a template from a different attack involving a fake voicemail notification in order to launch this new one. Alternatively, the template they’re using was originally built for a fake voicemail notification scam.

If the target clicks the play button, they are then redirected to an AITM login page that is a clone of their expected login page, featuring the company’s logo and their custom background. Note that the page title is “Voice Mail” as the page code was recycled from another attack.

As this is an AITM attack, this spoof page will accept credentials and then pass them to the real login page. The AITM login will then imitate the response that it receives from the real login, either letting the target into the portal or returning an “incorrect password” message.

While this attack is fairly standard for Tycoon 2FA, it shows just how easily an attacker can spoof a company’s internal login by utilizing the correct branding.

Detection signals

Sublime's AI-powered detection engine prevented this attack. Some of the top signals for this attack were:

• QR code with phishing disposition: The QR code does not link to any organizational domains.
• Empty message body: The message was blank while the subject and attachment contained HR indicators.
• Newly registered sender domain: The sender's domain is suspicious because it was registered in the past 14 days. Registering new domains is a common tactic used to conduct attacks.

See the full Message Query Language (MQL) that detected this attack in these publicly available Detection Rules in our Core Feed: QR code with phishing disposition in img or pdf and QR code with suspicious indicators.

Keep an eye out for credential phishing

PhaaS providers like Tycoon 2FA make it easy for attackers to develop and iterate on novel attacks. That’s why the most effective email security platforms are adaptive, using AI and machine learning to stay ahead of the latest tactics and techniques.

If you enjoyed this Attack Spotlight, be sure to check our blog every week for new blogs, subscribe to our RSS feed, or sign up for our monthly newsletter. Our newsletter covers the latest blogs, detections, product updates, and more.

Read more Attack Spotlights:

• Microsoft OAuth URL used as redirect to AITM credential phishing site
• Seeing both sides of a service abuse financial fraud using YOPmail disposable messages
• Base64-encoding an SVG attack within an iframe and hiding it all in an EML attachment