The platform’s creators have cleverly turned familiar technologies against us.
Significant updates have been discovered in the operation of the Tycoon2FA phishing platform, notorious for bypassing two-factor authentication (2FA) in Microsoft 365 and Gmail. The developers behind this Phishing-as-a-Service (PhaaS) tool have improved their obfuscation and evasion techniques to escape detection by security systems.First exposed in October 2023 by researchers at Sekoia, Tycoon2FA has since evolved into a more sophisticated and effective tool. Now, analysts at Trustwave report several major enhancements that significantly hinder endpoint detection and response systems.
One key innovation is the use of invisible Unicode characters to conceal binary data within JavaScript code. This technique, first described by Juniper Threat Labs in February, allows malicious scripts to be decrypted and executed at runtime, all while remaining undetectable by both automated scanners and manual code reviewers.
A third improvement is the integration of JavaScript-based anti-debugging mechanisms. The platform now detects browser automation tools such as PhantomJS and Burp Suite, blocking activities associated with malware analysis. If suspicious behavior or failed CAPTCHA attempts are detected — possibly indicating a security bot — the user is automatically redirected to a decoy or legitimate site, such as rakuten.com.
According to Trustwave, while none of these techniques are entirely new on their own, their combined use makes Tycoon2FA’s infrastructure far more difficult to detect and analyze — complicating the process of preventing or mitigating attacks.
Meanwhile, researchers have observed an unprecedented rise in phishing attacks using SVG files. Platforms like Tycoon2FA, Mamba2FA, and Sneaky2FA have all adopted this tactic. Between April 2024 and March 2025, incidents involving malicious SVG attachments surged by a staggering 1800%.
Attackers disguise SVG files as voice messages, logos, or cloud document icons. The Scalable Vector Graphics (SVG) format allows JavaScript to be embedded and automatically executed when opened in a browser. To evade detection, the malicious code is obfuscated using multiple techniques simultaneously — including base64 encoding, ROT13, XOR encryption, and the insertion of junk instructions.
The main goal of these scripts is to redirect users to fake Microsoft 365 login pages to steal credentials. One example cited by researchers involves a phishing email pretending to be a Microsoft Teams voice message. When the attached SVG file — disguised as an audio recording — is opened, the browser executes JavaScript that sends the victim to a counterfeit Office 365 login page.
- Configuring email gateways to block or flag suspicious SVG attachments
- Using phishing-resistant multi-factor authentication, especially FIDO2 hardware keys
Tycoon2FA’s evolution underscores a chilling truth: even trusted security measures can be weaponized — and attackers are getting better at doing just that.
