Home
/
Blog
/
Featured
/
Detecting & Blocking Tycoon’s latest AiTM Phishing Kit

Detecting & Blocking Tycoon’s latest AiTM Phishing Kit

PUBlished on
March 27, 2024
|
updated on
November 5, 2025

J MCREYNOLDS

In this blog, we detail how Obsidian detects and blocks the latest version of Tycoon, an adversary-in-the-middle (AiTM), Phishing-as-a-Service (PhaaS) platform that leverages a reverse proxy to intercept and replay credentials and MFA prompts. We’re observing this more and more in our customers’ environments and are successfully blocking our customers from submitting their credentials.

This new version of Tycoon has recently received press from Forbes [1], Dark Reading [2], TechRadar [3], and others.

Background

From https://blog.sekoia.io/tycoon-2fa-an-in-depth-analysis-of-the-latest-version-of-the-aitm-phishing-kit/

Detecting & Blocking Tycoon’s latest version

To start off, lets find some recent Tycoon phishing websites.

Using the latest technique suggested by Sekoia, we’ll search urlscan.io for the following:

filename:(“code.jquery.com/jquery-3.6.0.min.js” AND “challenges.cloudflare.com/turnstile/v0/api.js”)
hash:5feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9

Based on this search, we’ve received the following results:

Investigating the first result, we can confirm that TycoonGroup has implemented Cloudflare’s captcha/turnstile to prevent security crawlers and email security products (like ESGs) from observing the website.

Now, this isn’t a problem for Obsidian. We inspect all content and network traffic for the entire browsing session, evading any countermeasures such as Cloudflare’s anti-bot/turnstile capability.

Once we observe the final landing page, which looks like a Microsoft login page, we detect these visual and structural similarities and block the user from submitting any credentials.

See it in action here:

Details:

  • Once we observe the Microsoft-looking login page, we block the user. We look for visual and structural similarities. We are not dependent on ephemeral IOCs like IPs or domains or on heuristics like domain age and reputation; each can be easily changed or gamed.
  • The end user is provided details about why they were blocked, including a screenshot of the offending page. In this illustration, “warning mode” is configured, allowing users to proceed if they believe it is safe. The logo and footer are customized to the company’s liking, keeping messaging on-brand and on-tone with company culture.
  • If the user has questions or needs to contact the security team, they can use the details in the customized footer.
  • Security is immediately notified when the page is blocked.

Takeaways
  • The use of AiTM reverse-proxy phishing kits is growing
  • These phishing kits successfully bypass the most common forms of 2FA/MFA, which include SMS, TOTP, Push, and Number Matching
  • Existing security solutions, like email security gateways (ESGs), are struggling to handle these attacks due to countermeasures put in place, like anti-bot, captchas, and turnstiles. Additionally, attackers are starting to target Microsoft Teams, Slack, and personal email accounts, avoiding existing corporate email security measures.
  • The most effective way to detect and block these attacks is to perform visual and structural analysis of the page throughout the lifetime of the user’s session.

Want to learn more and protect your organization from these attacks? Contact our team here.

Frequently Asked Questions (FAQs)

What is the Tycoon adversary-in-the-middle (AiTM) phishing kit and how does it work?

The Tycoon phishing kit is a sophisticated Phishing-as-a-Service (PhaaS) platform that uses a reverse proxy to intercept credentials and multi-factor authentication (MFA) prompts during login attempts. By standing between users and legitimate websites, it can capture usernames, passwords, and even MFA codes in real time. This allows attackers to bypass standard security measures and gain unauthorized access to sensitive accounts.

How does Obsidian detect and block Tycoon phishing attacks?

Obsidian detects Tycoon attacks by analyzing the visual and structural elements of web pages during active browsing sessions, rather than relying on outdated indicators like IP addresses or domain reputation. Once a suspicious login page—such as one mimicking Microsoft—is identified, Obsidian blocks users from submitting their credentials and immediately notifies security teams. This session-level visibility allows Obsidian to outmaneuver common countermeasures like captchas or anti-bot features.

Why are traditional email security gateways (ESGs) ineffective against Tycoon attacks?

Traditional email security gateways often depend on static indicators, such as detecting known malicious domains, IP addresses, or analyzing email content. However, Tycoon and similar AiTM kits utilize advanced countermeasures like Cloudflare's anti-bot/captcha technology and ever-changing domains, making it difficult for ESGs to identify and block these threats. As a result, attackers can bypass these defenses and successfully deliver their phishing payloads.

Can Tycoon phishing kits bypass multi-factor authentication (MFA)?

Yes, Tycoon phishing kits are specifically designed to defeat popular forms of MFA, including SMS codes, TOTP apps, Push notifications, and Number Matching. By capturing both the user's credentials and the MFA code through their reverse proxy mechanism, attackers gain full access even when MFA is enabled, highlighting the need for advanced session-based threat detection.

You May Also Like

Featured

Legacy Security vs. Obsidian: Why SaaS Security Demands a New Approach
4
MIN
November 10, 2025

Featured

How to Choose a SaaS and AI Security Vendor for Enterprise Scale
2
MIN
September 22, 2025

Featured

Salesforce Misconfiguration Continues to Expose Links to the Public
3
MIN
April 29, 2025

Get Started

Start in minutes and secure your critical SaaS applications with continuous monitoring and data-driven insights.

get a demo