Please Be Vigilant when accessing company accounts, this does not just apply to Microsoft and Google. Always make sure you check the above address for proper spelling.
Snippet from Bleeping computer article:
Tycoon 2FA attacks involve a multi-step process where the threat actor steals session cookies by using a reverse proxy server hosting the phishing web page, which intercepts the victim’s input and relays them to the legitimate service.
“Once the user completes the MFA challenge, and the authentication is successful, the server in the middle captures session cookies,” Skoia explains. This way, the attacker can replay a user’s session and bypass multi-factor authentication (MFA) mechanisms.
Sekoia’s report describes the attacks in seven distinct stages as described below:
- Stage 0 – Attackers distribute malicious links via emails with embedded URLs or QR codes, tricking victims into accessing phishing pages.
- Stage 1 – A security challenge (Cloudflare Turnstile) filters out bots, allowing only human interactions to proceed to the deceptive phishing site.
- Stage 2 – Background scripts extract the victim’s email from the URL to customize the phishing attack.
- Stage 3 – Users are quietly redirected to another part of the phishing site, moving them closer to the fake login page.
- Stage 4 – This stage presents a fake Microsoft login page to steal credentials, using WebSockets for data exfiltration.
- Stage 5 – The kit mimics a 2FA challenge, intercepting the 2FA token or response to bypass security measures.
- Stage 6 – Finally, victims are directed to a legitimate-looking page, obscuring the phishing attack’s success.
Sekoia reports that the latest version of the Tycoon 2FA phishing kit, released this year, has introduced significant modifications that improve the phishing and evasion capabilities.