Source:
https://siliconangle.com/2024/03/25/new ... ntication/
Called “Tycoon 2FA,” the phishing kit has been active since at least August 2023 and is claimed to now be one the most prevalent AiTM phishing kits, with over 1,100 domain names detected between October 2023 and February 2024.
Tycoon 2FA operates in various stages to carry out its malicious activities. The kit starts by attempting to trick victims into visiting a page featuring a Cloudflare security challenge to prevent unwanted traffic. Users then encounter a fake Microsoft authentication page where their credentials are harvested. The phishing kit then relays this information to the legitimate Microsoft authentication API, intercepting session cookies to bypass multifactor authentication.