Adversary-in-the-Middle (AiTM) phishing kits are emerging as sophisticated threats specifically designed to circumvent multi-factor authentication (MFA), once considered an impenetrable defense against account compromises.
Tycoon 2FA, first identified in August 2023, represents the latest evolution in this concerning trend, operating through a Phishing-as-a-Service (PhaaS) model that has gained popularity as organizations increasingly implement MFA.
These advanced phishing kits function by positioning themselves between users and legitimate authentication services, creating convincing replicas of Microsoft or Google login pages.
When users attempt to authenticate, the kits intercept both their credentials and MFA tokens in real-time, seamlessly forwarding them to the legitimate service while capturing the authenticated session cookies.
This technique allows attackers to replay sessions and maintain access to compromised accounts even after credential resets, effectively neutralizing the protection MFA typically provides.
Recent incidents in early 2025 demonstrated the considerable impact of these attacks, with multiple organizations experiencing account compromises despite having robust MFA implementations.
In successful attacks, perpetrators gained access to sensitive emails, created malicious inbox rules to cover their tracks, and potentially used compromised accounts to launch additional phishing campaigns, creating a dangerous cascading effect that amplifies the initial breach.
Darktrace security analysts identified a sophisticated campaign leveraging Tycoon 2FA between late 2024 and early 2025, noting that attackers have specifically evolved their techniques to abuse legitimate services as part of their phishing infrastructure.
“By leveraging trusted platforms and domains, malicious actors can bypass traditional security measures, making their phishing emails appear benign and increasing the likelihood of successful attacks,” explained researchers in their investigation report.
Abuse of Legitimate Services as Attack Vector
What makes Tycoon 2FA particularly effective is its strategic use of legitimate platforms like Milanote, a project collaboration and note-taking application.
.webp)
In documented cases, attackers sent phishing emails from authentic Milanote addresses (support@milanote.com), referencing “new agreements” and including a mix of legitimate links alongside malicious ones.
This approach helps the emails evade traditional security filters while appearing trustworthy to recipients.
dns_query = {
"domain": "lrn.ialeahed.com",
"type": "A",
"timestamp": "2025-01-06 10:51:15"
}
The above code snippet represents a DNS query observed during an incident investigation, showing communication with a known Tycoon 2FA domain.
After initial compromise, attackers typically establish persistence by creating inbox rules with names like “GTH” or “GFH” designed to delete any incoming emails containing strings like “milanote” in the subject or body, effectively hiding their activities from victims.
.webp)
When users enter credentials on the phishing page, they’re unwittingly connecting to both the attacker’s infrastructure and the legitimate service, allowing real-time credential and token interception.
As MFA adoption increases, security professionals must recognize that while multi-factor authentication remains a crucial security layer, it is no longer an absolute safeguard against sophisticated phishing attacks leveraging AiTM techniques.
Are you from the SOC and DFIR Teams? – Analyse Malware Incidents & get live Access with ANY.RUN -> Start Now for Free.