New phishing tool targets Microsoft 365 and Gmail accounts
A new phishing toolkit called Tycoon 2FA that is capable of tricking and taking over even well-protected accounts is targeting Microsoft 365 and Gmail accounts.
Although two-factor authentication (2FA) is considered a safe security method, a new set of phishing tools can bypass this layer of security and threaten accounts.
The security research team at Sekoia Threat Detection & Research said that the Tycoon 2FA toolkit uses the "Adversary-in-the-Middle" Phishing toolkit to deceive users, acting as a platform. Popular Phishing-as-a-Service (PhaaS) platform on private Telegram channels.
The attacker will send the user an email containing a QR code or a link to a fake website. When the victim interacts with the link or QR code, the website triggers Cloudflare security checks. Users tend to ignore this because it is quite common nowadays.
The victim will then be directed to a fake Microsoft page asking to enter login information. If the victim complies, the bad guys will steal the login name and password. Tycoon 2FA will then display a fake 2FA page, asking to verify the user's identity.
According to researchers, to bypass security measures, criminals will intercept and keep 2FA tokens. This login cookie will be stolen and can be reused at any time, easily bypassing the account's 2FA protection.
Experts warn users to keep a few things in mind to protect themselves from phishing attacks.
- Be careful with unfamiliar emails: Do not click on any links or QR codes in unfamiliar emails.
- Double check the website address: Before entering your login information, double check that the website address matches the official Microsoft website or Gmail.
- Use strong passwords: Use strong and different passwords for each account. You should change your password regularly.
- Enabling two-factor authentication (2FA) helps protect accounts even if an attacker gets hold of the password.
- Always update anti-virus and security software on your device.
You should read it
- How to secure Google information from the Google Docs attack?
- Microsoft shows how to avoid trapping phishing
- Secure Gmail with 2-layer password
- Google uses machine learning for new security features on Gmail
- [Infographic] 4 types of Phishing are easy to trap users
- Instructions for adding recovery email to Gmail
- Microsoft account enhances two-layer security
- New phishing toolkit discovered that makes it easy to create fake Chrome browser windows
- How to check the login activity of Gmail
- Comprehensive Gmail security guide
- How to hack Gmail's two-step authentication
- The Gmail application on the new iPhone has an extra important security feature
Maybe you are interested
iPhone security tips you're missing out on
This list of common passwords shows how little we understand about online security
Download free Windows Server 2025 security guide
5 Misconceptions About Password Security
Should I buy a USB, Bluetooth or NFC security key?
4 Security Steps to Follow When Using Remote Access Applications