Tycoon

Tycoon is a phishing-as-a-service (PhaaS) adversary-in-the-middle (AiTM) phishing kit used to steal credentials, MFA/2FA tokens, and authenticated session cookies in real time, enabling MFA bypass and account takeover. The content describes Tycoon as a broadly available platform that provides phishing kits and supporting infrastructure, lowering the barrier for multiple threat actors to conduct sophisticated phishing operations.

Observed Tycoon activity primarily targets Microsoft 365 and Microsoft Entra ID users with counterfeit Microsoft authentication pages that can display the victim organization’s Azure Active Directory/Entra branding. Reported delivery and lure methods include email, SMS, OAuth consent workflows, QR-code phishing (quishing), HR and payroll themes, employee benefits lures, file-sharing themes, request-for-quote and contract lures, and holiday-themed campaigns. In several campaigns, victims were redirected through CAPTCHA pages before reaching Tycoon-powered phishing flows. The content also links Tycoon to fake Microsoft OAuth applications impersonating brands such as Adobe, DocuSign, RingCentral, SharePoint, and industry-specific services; both Accept and Cancel actions on the OAuth consent page could redirect victims into Tycoon phishing pages.

Tycoon is associated with synchronous relay/AiTM capabilities that intercept credentials and 2FA-approved session tokens, allowing session hijacking by importing stolen cookies into an attacker-controlled browser. Proofpoint reported Tycoon-linked activity in 2025 attempting to compromise nearly 3,000 user accounts across more than 900 Microsoft 365 environments, with a confirmed success rate exceeding 50%. The kit was also referenced in campaigns abusing the Lovable AI website builder to host or redirect to phishing pages, including Microsoft-themed credential theft and banking-targeted MFA phishing. In one real-world post-compromise case, activity most likely associated with Tycoon was followed by creation of malicious mailbox rules and registration of an internal Microsoft Entra ID application for persistence.

The content notes infrastructure and evasion patterns including operation from Microsoft Azure Blob Storage, specifically alencure[.]blob[.]core[.]windows[.]net, use of CAPTCHA filtering, and a late-April 2025 shift from Russia-based proxy services to an abused U.S.-based data center hosting provider. Reported indicators and related infrastructure include redirector hxxps://azureapplicationregistration[.]pages[.]dev/redirectapp, landing domains yrqwvevbjcfv[.]es and pw5[.]haykovx[.]es, domain gmlygt[.]ru, IPv6 address 2a00:b703:fff2:35::1, receiver domain quantumdhub[.]ru, and user-agent strings axios/1.7.9 and axios/1.8.2. Additional Tycoon-related techniques mentioned include nesting a malicious QR code inside a legitimate QR code to hinder automated detection.