A comprehensive timeline of evasion methods used by the Tycoon 2FA phishing-as-a-service (PhaaS) kit, published by ANY.RUN on Tuesday, revealed the most recent tactics leveraged by the popular session hijacking tool.The most recent Tycoon 2FA samples analyzed by ANY.RUN, observed on April 23 and May 6, 2025, showed the addition of browser fingerprinting and additional payload encryption in recent attacks, enhancing evasion of sandbox environments and analysis tools.

Latest additions to Tycoon 2FA toolbox

The Tycoon 2FA phishing kit mainly targets Microsoft 365 accounts, although some versions also target Gmail accounts.The malicious tool enables attackers to access victims’ accounts and bypass two-factor authentication (2FA) via fake login pages and an adversary-in-the-middle (AiTM) technique, where a reverse proxy is used to capture and reuse session cookies as the user submits their credentials and 2FA details.A Tycoon 2FA sample from April 23, 2025, revealed a new feature of the phishing kit: browser fingerprinting.Unlike in previous versions, which used more basic techniques to detect sandbox environments, this version of the kit collected extensive information, including screen parameters, browser name, console properties, time zone, graphical interface properties and more, and exfiltrated these details to an attacker command-and-control (C2) server for analysis.  The C2 server performs an analysis of these details to check for a potential sandbox environment, and if this test fails, the user is redirected to a miscellaneous legitimate website (such as the official Tesla website). If the test passes, and a sandbox is not detected, the phishing attack proceeds.The most recent sample in ANY.RUN’s timeline, from May 6, 2025, also revealed additional AES encryption of the final stage Tycoon 2FA payload, whereas previous versions only encrypted exfiltrated data and the URL used to retrieve the phishing page payload.

Past improvements include rotating CAPTCHAs, invisible obfuscation

ANY.RUN’s Tycoon 2FA update timeline also notes previous additions from December 2024 and early April 2025 that improve obfuscation, social engineering and evasion of detection tools.In December, the kit added a check for specific debugging environments, including Selenium, WebDriver and Burp Suite, redirecting the user to about:blank if this check failed. Additionally, mechanisms were added to prevent the user from taking actions to analyze the page.Keyboard shortcuts commonly used to open developer tools were blocked on the phishing page, including F12 (which opens DevTools in Firefox), Ctrl + Shift + C (which opens DevTools in Chrome) and Ctrl + U (which displays the page’s source code). Users would also be unable to open the context menu by right-clicking on the page, preventing them from using this menu to access the page’s source code or inspect element.A Dec. 17, 2024, sample of Tycoon 2FA also added dynamic multimedia loading that would retrieve logos and custom backgrounds for the fake login page based on the email domain of the victim. This enhances the social-engineering aspect of the attack, making it more likely for the victim to believe they were on a legitimate login page. These multimedia were loaded using the legitimate Microsoft Azure Active Directory Content Delivery Network (AADCDN).In early April 2025, additional obfuscation and anti-bot measures were observed. In the second stage of the attack, when several checks are performed prior to unpacking and retrieval of the phishing page payload, invisible obfuscation was used to better hide the nature of the code and complicate analysis.Invisible obfuscation uses different whitespace characters to encode parts of the code, which appear invisible and harmless, but are ultimately decoded into bytes and executed by the malware.  The phishing kit also began rotating the CAPTCHAs it used to prevent bots from accessing the phishing pages, abandoning the use of Cloudflare CAPTCHAs and switching between custom CAPTCHAs, Google reCAPTCHA and IconCaptcha. The use of a custom CAPTCHA eliminates possible disruption by Cloudflare, while rotation between different CAPTCHA methods complicates signature-based detection methods, according to ANY.RUN.

Several weak evasion methods still in use

ANY.RUN noted that many of the evasion tactics Tycoon 2FA has used since October 2024 remain in use, and several of these methods are still relatively weak, allowing for deobfuscation and decryption.For example, several parts of the Typhoon 2FA code are obfuscated using obfuscate.io, a method that can be easily reversed using deobfuscate.io. Additionally, the kit used the same hardcoded keys and initialization vectors for encryption of C2 payloads and exfiltrated data across all observed samples, simplifying decryption and analysis, ANY.RUN wrote.Despite these weaknesses, Tycoon 2FA’s evasion methods make it difficult to detect solely using signature-based methods, and ANY.RUN recommends the use of behavioral analysis methods to reliably detect this PHaaS activity. Specifically, communication with domains using a specific group of top-level domains (TLDs) known to be used by Tycoon 2FA, resource loading from specific JavaScript libraries, CSS stylesheets and web content, and redirection to the official Microsoft login page at the end of a session are behavioral signs that can indicate Typhoon 2FA activity when they occur in a single session.