Introduction
Tycoon 2FA represents a sophisticated evolution in Adversary-in-the-Middle (AiTM) phishing attacks that successfully bypass Multi-Factor Authentication (MFA) protections across both Microsoft Entra ID (formerly Azure AD) and Google Workspace environments. This threat actor methodology uses reverse proxy capabilities to intercept authentication sessions, effectively neutralizing the security posture that many organizations consider their primary defense against account compromise.
The attack is currently active in the wild, targeting organizations that rely on standard MFA implementations (SMS, app-based TOTP, push notifications). Unlike traditional phishing that captures credentials, Tycoon 2FA captures session tokens after MFA completion, allowing attackers to bypass MFA entirely. Defenders must act immediately to implement detection rules that identify the telemetry fingerprints of these attacks and deploy automated containment workflows to prevent lateral movement.
Technical Analysis
Affected Products and Platforms
- Microsoft Entra ID (all versions utilizing standard MFA without phishing-resistant controls)
- Google Workspace (all editions, including Enterprise)
Attack Methodology
Tycoon 2FA operates through the following attack chain:
-
Initial Vector: Targeted phishing emails containing links to attacker-controlled infrastructure that mimics legitimate Microsoft or Google login pages.
-
Reverse Proxy Deployment: The phishing site deploys a reverse proxy (often using tools like Evilginx2 or similar frameworks) that sits transparently between the victim and the legitimate authentication service.
-
Authentication Interception:
- Victim enters credentials into the phishing page
- Proxy forwards credentials to legitimate service
- Legitimate service challenges for MFA
- Proxy presents MFA challenge to victim
- Victim completes MFA (TOTP code, push approval, or SMS)
- Legitimate service issues session token/cookie to proxy
- Proxy captures session token and forwards authentication success to victim
-
Session Hijacking: Attackers use the captured session token to authenticate to the victim's account from their own infrastructure, bypassing MFA entirely since the session is already authenticated.
-
Post-Compromise Activity: Attackers establish persistence, access sensitive data, configure email forwarding rules, and attempt lateral movement using the hijacked identity.
Exploitation Status
- Status: Confirmed active exploitation in the wild
- Threat Actor: Tycoon 2FA (access-as-a-service operator)
- Targeted Industries: No specific vertical targeting—opportunistic campaigns against organizations relying on MFA alone
Key Telemetry Fingerprints
- Authentication attempts from IP addresses with mismatched geolocation relative to historical patterns
- Multiple successful authentications from distinct IP addresses within impossible travel time windows
- User-Agent inconsistencies between authentication requests
- Conditional Access policy triggers indicating suspicious authentication contexts
- Session token usage from infrastructure not associated with corporate endpoints
Detection & Response
Sigma Rules
YAML
---
title: Tycoon 2FA - Entra ID Impossible Travel Detection
id: 8a4f3c2d-1e5b-4a9f-8d7c-6b5a4d3e2f1a
status: experimental
description: Detects authentication events with impossible travel patterns indicative of AiTM session hijacking. References Tycoon 2FA attack methodology against Entra ID.
references:
- https://www.elastic.co/security-labs/tycoon-2fa-aitm-detection-engineering
author: Security Arsenal
date: 2025/01/15
tags:
- attack.credential_access
- attack.t1557
- attack.t1110
logsource:
product: azure
service: signinlogs
detection:
selection:
Status|contains: 'Success'
ResultType: 0
timeframe: 1h
condition: selection | count() > 1
and distinct_ip() > 1
and distance(travel_time, geo_distance) > 1000
falsepositives:
- Legitimate users traveling (VPN, mobile data)
- Shared accounts with multiple legitimate access points
level: high
---
title: Tycoon 2FA - Google Workspace Suspicious User Agent
id: 9b5e4d3c-2f6a-5b0a-9e8d-7c6b5e4d3f2b
status: experimental
description: Detects Google Workspace authentication from suspicious user agents commonly associated with phishing tools and automation frameworks used in Tycoon 2FA campaigns.
references:
- https://www.elastic.co/security-labs/tycoon-2fa-aitm-detection-engineering
author: Security Arsenal
date: 2025/01/15
tags:
- attack.initial_access
- attack.t1566
- attack.t1078
logsource:
product: gws
service: login
detection:
selection:
event_name: 'login_success'
filter_legitimate:
device_type|contains:
- 'Chrome'
- 'Firefox'
- 'Safari'
- 'Edge'
- 'Mobile'
filter_automated:
actor_caller_type: 'SYSTEM'
condition: selection and not filter_legitimate and not filter_automated
falsepositives:
- Custom applications using OAuth
- Legacy authentication methods
level: medium
---
title: Tycoon 2FA - Rapid Authentication Failures Followed by Success
id: 0c6f5e4d-3g7b-6c1b-0f9e-8d7c6e5f4g3c
status: experimental
description: Detects rapid authentication failures followed immediately by success from a different IP address, consistent with AiTM relay attacks like Tycoon 2FA.
references:
- https://www.elastic.co/security-labs/tycoon-2fa-aitm-detection-engineering
author: Security Arsenal
date: 2025/01/15
tags:
- attack.credential_access
- attack.t1110
- attack.t1078
logsource:
category: authentication
product: azure
detection:
failure:
Status: 'Failure'
success:
Status: 'Success'
ResultType: 0
timeframe: 5m
condition: failure and success
and count(distinctIpAddress) > 1
and count() > 3
falsepositives:
- Users entering wrong password multiple times before success
- Application throttling and retry logic
level: high
KQL (Microsoft Sentinel)
KQL — Microsoft Sentinel / Defender
// Tycoon 2FA - Entra ID Suspicious Authentication Patterns
let TimeWindow = 1h;
let SignInLogs = materialize(
SigninLogs
| where TimeGenerated >= ago(TimeWindow)
| where ResultType == 0 // Success
);
SignInLogs
| summarize
SuccessfulSignins = count(),
UniqueIPs = dcount(IPAddress),
IPList = make_set(IPAddress, 10),
LocationDetails = make_set(Location, 10),
DeviceDetails = make_set(DeviceDetail, 10),
UserAgentList = make_set(UserAgent, 5)
by UserPrincipalName, AppId
| where SuccessfulSignins >= 2 and UniqueIPs > 1
| extend
RiskScore = iff(SuccessfulSignins > 3 and UniqueIPs > 2, "Critical",
iff(SuccessfulSignins > 2 and UniqueIPs > 1, "High", "Medium"))
| project
UserPrincipalName,
AppId,
SuccessfulSignins,
UniqueIPs,
IPList,
LocationDetails,
DeviceDetails,
UserAgentList,
RiskScore
| where RiskScore in ("Critical", "High")
| order by SuccessfulSignins desc, UniqueIPs desc;
// Tycoon 2FA - Detect MFA Bypass via Device Changes
SigninLogs
| where TimeGenerated >= ago(1d)
| where ResultType == 0
| where AuthenticationRequirement == "multiFactorAuthentication"
| extend DeviceId = tostring(DeviceDetail.deviceId)
| extend Browser = tostring(DeviceDetail.browser)
| extend OS = tostring(DeviceDetail.operatingSystem)
| summarize
SigninCount = count(),
UniqueDevices = dcount(DeviceId),
DeviceList = make_set(DeviceId, 10),
BrowserList = make_set(Browser, 5),
OSList = make_set(OS, 5)
by UserPrincipalName, Identity
| where UniqueDevices > 2
| project
UserPrincipalName,
Identity,
SigninCount,
UniqueDevices,
DeviceList,
BrowserList,
OSList
| order by UniqueDevices desc;
Velociraptor VQL
VQL — Velociraptor
-- Hunt for suspicious browser session tokens consistent with AiTM session hijacking
-- Tycoon 2FA stores session cookies that can be extracted from browser profiles
-- Chrome browser artifact collection for session tokens
SELECT
OSPath.Basename AS Profile,
Data.LastAccessed,
Data.CreationTime,
Data.ModificationTime,
Data.host_key AS Domain,
Data.name AS CookieName,
Data.value AS CookieValue,
Data.expires_utc AS Expiration,
size(string=Data.value) AS CookieLength
FROM glob(globs='*/Users/*/AppData/Local/Google/Chrome/User Data/*/Cookies')
LIMIT 1000
WHERE Domain =~ '(login.microsoftonline.com|accounts.google.com|login.live.com)'
AND CookieName =~ '(SID|Sessi|LSOID|X-Z|SAPISID|APISID|HSID|SSID)'
AND CookieLength > 50
-- Firefox browser artifact collection for session tokens
SELECT
OSPath.Basename AS Profile,
Data.LastAccessed,
Data.CreationTime,
Data.ModificationTime,
Data.host AS Domain,
Data.name AS CookieName,
Data.value AS CookieValue,
Data.expiry AS Expiration,
size(string=Data.value) AS CookieLength
FROM glob(globs='*/Users/*/AppData/Roaming/Mozilla/Firefox/Profiles*/cookies.sqlite')
LIMIT 1000
WHERE Domain =~ '(login.microsoftonline.com|accounts.google.com|login.live.com)'
AND CookieName =~ '(SID|Sessi|LSOID|X-Z|SAPISID|APISID|HSID|SSID)'
AND CookieLength > 50
-- Network connections to suspicious IP ranges associated with phishing infrastructure
SELECT
Pid,
Name,
Cmdline,
RemoteAddress,
RemotePort,
LocalAddress,
LocalPort,
State,
StartTime
FROM netstat()
WHERE RemotePort IN (443, 80)
AND Name =~ '(chrome|firefox|msedge|opera)'
AND regex(string=RemoteAddress, pattern='^(192\.168\.|10\.|172\.(1[6-9]|2[0-9]|3[01])\.)') = FALSE
AND regex(string=RemoteAddress, pattern='^(127\.|0\.0\.0\.)') = FALSE
AND StartTime > now() - 86400 -- Last 24 hours
Remediation Script (PowerShell)
PowerShell
<#
.TYCOON 2FA REMEDIATION SCRIPT
.SYNOPSIS
Hardens Entra ID configuration against AiTM phishing attacks like Tycoon 2FA
.DESCRIPTION
Implements phishing-resistant authentication controls and detection configurations
#>
# Enforce Phishing-Resistant Authentication Methods
function Enforce-PhishingResistantMFA {
param(
[string]$TenantId,
[string]$PolicyName = "Tycoon2FA-PhishingResistant"
)
# Check for Microsoft Graph PowerShell module
if (-not (Get-Module -ListAvailable -Name Microsoft.Graph)) {
Write-Error "Microsoft Graph PowerShell module required. Install with: Install-Module Microsoft.Graph"
return
}
Connect-MgGraph -TenantId $TenantId -Scopes "Policy.ReadWrite.ConditionalAccess", "Policy.Read.All"
# Create Authentication Strength policy requiring FIDO2 or Certificate-based auth
$authStrengthParams = @{
displayName = "Tycoon2FA-PhishingResistant-AuthStrength"
description = "Requires phishing-resistant MFA methods (FIDO2 or Certificate-based)"
allowedCombinations = @("fido2", "certificateBased")
}
try {
$authStrength = New-MgIdentityConditionalAccessAuthenticationStrength -BodyParameter $authStrengthParams
Write-Host "Created Authentication Strength policy: $($authStrength.Id)" -ForegroundColor Green
# Create Conditional Access policy
$caPolicyParams = @{
displayName = $PolicyName
state = "enabled"
conditions = @{
applications = @{
includeApplications = @("All")
}
users = @{
includeUsers = @("All")
excludeUsers = @("Guest or external user")
}
locations = @{
includeLocations = @("All")
}
}
sessionControls = @{
applicationEnforcedRestrictions = $null
cloudAppSecurity = $null
persistentBrowser = $null
signInFrequency = $null
authenticationStrength = @{
id = $authStrength.Id
}
}
}
$caPolicy = New-MgIdentityConditionalAccessPolicy -BodyParameter $caPolicyParams
Write-Host "Created Conditional Access policy: $($caPolicy.Id)" -ForegroundColor Green
}
catch {
Write-Error "Failed to create policies: $_"
}
}
# Enable Continuous Access Evaluation
function Enable-ContinuousAccessEvaluation {
param(
[string]$TenantId
)
# CAE is enabled by default but can be verified
try {
$tokenLifetimePolicy = Get-MgPolicyTokenLifetimePolicy -Filter "displayName eq 'ContinuousAccessEvaluationPolicy'"
if ($tokenLifetimePolicy) {
Write-Host "Continuous Access Evaluation is enabled" -ForegroundColor Green
Write-Host "Policy ID: $($tokenLifetimePolicy.Id)" -ForegroundColor Cyan
} else {
Write-Warning "Continuous Access Evaluation policy not found. This should be enabled by default."
}
}
catch {
Write-Error "Failed to verify CAE status: $_"
}
}
# Disable Legacy Authentication
function Disable-LegacyAuthentication {
param(
[string]$TenantId
)
try {
# Check for legacy authentication sign-ins
$legacyAuth = Get-MgAuditLogSignIn -Filter "authenticationMethod -any (method -eq 'Legacy Authentication')" -Top 10
if ($legacyAuth) {
Write-Warning "Detected legacy authentication usage. This should be disabled."
$legacyAuth | Select-Object UserPrincipalName, AppDisplayName, CreatedDateTime
Write-Host "To disable legacy authentication, use the Microsoft Entra admin center:" -ForegroundColor Yellow
Write-Host "1. Navigate to Security > Authentication methods" -ForegroundColor Cyan
Write-Host "2. Disable Basic Auth for protocols: POP3, IMAP4, SMTP, Authenticated SMTP" -ForegroundColor Cyan
Write-Host "3. Create Conditional Access policy blocking legacy protocols" -ForegroundColor Cyan
} else {
Write-Host "No recent legacy authentication detected" -ForegroundColor Green
}
}
catch {
Write-Error "Failed to check legacy authentication: $_"
}
}
# Export remediation report
function Export-Tycoon2FAReport {
param(
[string]$OutputPath = ".\Tycoon2FA-Report."
)
$report = @{
ScanDate = Get-Date -Format "yyyy-MM-dd HH:mm:ss"
TenantId = $TenantId
Recommendations = @(
"Deploy FIDO2 security keys for privileged accounts",
"Implement Conditional Access policies with device compliance requirements",
"Enable Continuous Access Evaluation",
"Disable legacy authentication protocols",
"Monitor for impossible travel patterns in sign-in logs",
"Implement phishing-resistant authentication strength policies",
"Deploy automated containment workflows for suspicious authentication events"
)
}
$report | ConvertTo-Json -Depth 3 | Out-File -FilePath $OutputPath
Write-Host "Report exported to $OutputPath" -ForegroundColor Green
}
# Main execution
Write-Host "=" * 60 -ForegroundColor Cyan
Write-Host "TYCOON 2FA REMEDIATION AND HARDENING" -ForegroundColor Cyan
Write-Host "=" * 60 -ForegroundColor Cyan
$tenantId = Read-Host "Enter your Entra ID Tenant ID"
Write-Host "`n[1] Enforcing Phishing-Resistant MFA..." -ForegroundColor Yellow
Enforce-PhishingResistantMFA -TenantId $tenantId
Write-Host "`n[2] Verifying Continuous Access Evaluation..." -ForegroundColor Yellow
Enable-ContinuousAccessEvaluation -TenantId $tenantId
Write-Host "`n[3] Checking for Legacy Authentication..." -ForegroundColor Yellow
Disable-LegacyAuthentication -TenantId $tenantId
Write-Host "`n[4] Exporting Remediation Report..." -ForegroundColor Yellow
Export-Tycoon2FAReport
Write-Host "`nRemediation script completed." -ForegroundColor Green
Write-Host "Review the report and implement additional hardening recommendations." -ForegroundColor Yellow
Remediation
Immediate Actions
-
Deploy Phishing-Resistant MFA:
- Implement FIDO2 security keys for all privileged accounts
- Enforce Certificate-Based Authentication (CBA) where possible
- Prioritize high-value targets: administrators, finance executives, helpdesk staff
-
Configure Conditional Access Policies:
- Require device compliance (Intune-managed devices)
- Implement network location restrictions
- Block authentication from risky IP ranges and countries
- Configure sign-in risk policies to block high-risk attempts
-
Enable Continuous Access Evaluation (CAE):
- CAE is enabled by default but verify configuration
- Reduces session lifetime for critical events (password reset, MFA changes)
- Allows near real-time revocation of compromised sessions
-
Disable Legacy Authentication Protocols:
- Disable SMTP/POP3/IMAP Basic Auth in Entra ID
- Block legacy authentication protocols via Conditional Access
- Implement OAuth 2.0 compliant applications
-
Implement Authentication Strength Policies:
- Create policies requiring FIDO2 for sensitive operations
- Gradually roll out to all users
- Provide hardware security keys for all staff
Medium-Term Hardening
-
Enroll in Microsoft Entra ID Protection:
- Enable risk-based Conditional Access
- Configure automatic remediation for leaked credentials
- Integrate with Microsoft Defender for Cloud Apps
-
Deploy Automated Response Workflows:
- Configure automated account suspension on high-risk detections
- Implement forced password reset on suspicious session token usage
- Enable automated notification of security teams
-
User Security Awareness Training:
- Specific training on AiTM phishing techniques
- Report suspicious authentication prompts
- Verify URLs before entering credentials
Vendor References
- Microsoft Entra ID Conditional Access Best Practices
- Google Workspace Security Hardening Guide
- Phishing-Resistant Multi-Factor Authentication
- CISA KEV Catalog (check for related entries)
Verification Steps
- Confirm all Conditional Access policies are in "Report-only" mode first, then enable
- Verify FIDO2 keys are enrolled for privileged accounts
- Test sign-in behavior from new locations and devices
- Confirm legacy authentication is blocked in sign-in logs
- Validate detection rules are firing correctly in SIEM/SOAR
Related Resources
Security Arsenal Penetration Testing Services AlertMonitor Platform Book a SOC Assessment vulnerability-management Intel Hub
sigma-rulekql-detectionthreat-huntingdetection-engineeringsiem-detectiontycoon-2faentraidgoogle-workspace
Is your security operations ready?
Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.