Phishing-as-a-service (PhaaS) platform Tycoon2FA, known for bypassing multi-factor authentication on Microsoft 365 and Gmail accounts, has received updates that improve its stealth and evasion capabilities.Tycoon2FA was discovered in October 2023 by Sekoia researchers, who later [reported significant updates](https://www.bleepingcomputer.com/news/security/new-mfa-bypassing-phishing-kit-targets-microsoft-365-gmail-accounts/) on the phishing kit that increased its sophistication and effectiveness.[Trustwave now reports](https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/tycoon2fa-new-evasion-technique-for-2025/) that the Tycoon 2FA threat actors have added several improvements that bolster the kit’s ability to bypass detection and endpoint security protections.The first highlighted change is the [use of invisible Unicode characters](https://www.bleepingcomputer.com/news/security/phishing-attack-hides-javascript-using-invisible-unicode-trick/) to hide binary data within JavaScript, as first reported by Juniper Threat Labs in February. This tactic allows the payload to be decoded and executed as normal at runtime while evading manual (human) and static pattern-matching analysis.  **Using Unicode to hide malicious code snippets** *Source: Trustwave*The second development is the switch from Cloudflare Turnstile to a self-hosted CAPTCHA rendered via HTML5 canvas with randomized elements.Likely, the creators of Tycoon 2FA opted for this change to evade fingerprinting and flagging by domain reputation systems and gain better customization control over the page’s content.The third major change is the inclusion of anti-debugging JavaScript that detects browser automation tools like PhantomJS and Burp Suite and blocks certain actions associated with analysis.When suspicious activity is detected or the CAPTCHA fails (potential indication of security bots), the user is served a decoy page or is redirected to a legitimate website like rakuten.com.  **The kit’s new anti-debug logic** *Source: Trustwave*Trustwave underlines that while these evasion techniques aren’t novel individually, they make a big difference when combined, complicating detection and analysis that can uncover phishing infrastructure and lead to takedowns and disruption.SVG lures surging—————–In a separate but related report, Trustwave says it has identified a [dramatic increase](https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/pixel-perfect-trap-the-surge-of-svg-borne-phishing-attacks/) in phishing attacks using [malicious SVG (Scalable Vector Graphics) files](https://www.bleepingcomputer.com/news/security/phishing-emails-increasingly-use-svg-attachments-to-evade-detection/), driven by PhaaS platforms like Tycoon2FA, Mamba2FA, and Sneaky2FA.The cybersecurity firm reports a steep rise of 1,800% from April 2024 to March 2025, indicating a clear shift in tactics favoring the particular file format.  **SVG file attachments used in phishing attacks** *Source: Trustwave*The Malicious SVGs used in the phishing attacks are for images disguised as voice messages, logos, or cloud document icons. However, SVG files can also contain JavaScript, which is automatically triggered when the image is rendered in browsers.This code is obfuscated using base64 encoding, ROT13, XOR encryption, and junk code, so detection is less likely.The function of the malicious code is to redirect the message recipients to Microsoft 365 phishing pages that steal their account credentials.A case study presented in the Trustwave report concerns a fake Microsoft Teams voicemail alert with an SVG file attachment disguised as an audio message. Clicking it opens an external browser that executes JavaScript, redirecting to a fake Office 365 login page.  **Microsoft Teams lure** *Source: Trustwave*The rise of PhaaS platforms and SVG-based phishing calls for heightened vigilance and the need for sender authenticity verification.An effective defense measure is to block or flag SVG attachments in email gateways and use phishing-resistant MFA methods like FIDO-2 devices.  [Top 10 MITRE ATT-&CK^©^ Techniques Behind 93% of Attacks](https://hubs.li/Q039Tm490)————————————————————————————-Based on an analysis of 14M malicious actions, discover the top 10 MITRE ATT-&CK techniques behind 93% of attacks and how to defend against them.[Read the Red Report 2025](https://hubs.li/Q039Tm490) ### Related Articles:[Phishing platform ‘Lucid’ behind wave of iOS, Android SMS attacks](https://www.bleepingcomputer.com/news/security/phishing-platform-lucid-behind-wave-of-ios-android-sms-attacks/)[Phishing-as-a-service operation uses DNS-over-HTTPS for evasion](https://www.bleepingcomputer.com/news/security/phishing-as-a-service-operation-uses-dns-over-https-for-evasion/)[Malicious Adobe, DocuSign OAuth apps target Microsoft 365 accounts](https://www.bleepingcomputer.com/news/security/malicious-adobe-docusign-oauth-apps-target-microsoft-365-accounts/)[New Darcula phishing service targets iPhone users via iMessage](https://www.bleepingcomputer.com/news/security/new-darcula-phishing-service-targets-iphone-users-via-imessage/)[Darcula PhaaS can now auto-generate phishing kits for any brand](https://www.bleepingcomputer.com/news/security/darcula-phaas-can-now-auto-generate-phishing-kits-for-any-brand/)
Related Tags:
NAICS: 459 – Sporting Goods
Hobby
Musical Instrument
Book
Miscellaneous Retailers
NAICS: 54 – Professional
Scientific
Technical Services
NAICS: 45 – Retail Trade – Fuel
Other
NAICS: 517 – Telecommunications
NAICS: 541 – Professional
Scientific
Technical Services
NAICS: 518 – Computing Infrastructure Providers
Data Processing
Web Hosting
Related Services
NAICS: 51 – Information
M1032 – Multi-factor Authentication
Blog: BleepingComputer
Associated Indicators: