Tycoon is back with a new phishing trick! The threat group has updated its tactics, using PDF lures and clever redirects to steal credentials. Victims are tricked into clicking a fake company policy notice, leading them straight to a phishing site.
This subtle yet effective trick will help adversaries to evade detection and improve their phishing success rate.
Let’s break down what’s changed and how this attack actually works.
How the Tycoon Attack Works
The attack begins with a PDF disguised as an official notice, warning the victim of a Company Device Policy Violation. The message pressures them to review the evidence by clicking a button inside the document.
See the phishing PDF inside ANY.RUN’s sandbox: View analysis session
Once the victim clicks the link, they are first redirected to /.res444.php/, a PHP script that executes JavaScript. The script first displays a Cloudflare “Verify You’re a Human” check: a common tactic used to bypass automated security scans and filter out bots.
After passing this check, the victim is redirected to a fake Outlook login page designed to steal credentials.
In ANY.RUN’s sandbox, we see clear phishing indicators:
- The Outlook favicon is missing, making the page look suspicious.
- The URL contains random characters, a tactic often used to evade detection.
- Suricata rules trigger an alert, confirming that this is a phishing attempt.
Note: If the phishing attempt targets a Windows user, the fake Outlook page loads. If the victim is using Linux, a fake gym website appears instead.
Protect your business from evolving phishing threats by analyzing attacks in real-time -> Start your 14-day free trial of ANY.RUN today
A Subtle Yet Effective Change in Tycoon Tactics
Security researchers have seen this tactic before: using PHP files with embedded JavaScript to execute redirections. However, Tycoon has fine-tuned their approach to slip past detection systems:
- Their previous file, res444.php, contained Base64-encoded JavaScript, which then used AES decryption to fetch the phishing domain.
- The updated file, .res444.php, skips the encryption and automatically redirects the victim to the Outlook phishing domain.
- If a hash (#) is present in the URL, a random uppercase letter (A-Z) is appended before redirection, likely to bypass security filters.
Don’t Let Evolving Threats Put Your Business at Risk
Cybercriminals like Tycoon are constantly refining their tactics, making phishing attacks more deceptive and harder to detect. Their latest approach shows how even a simple PDF can lead to compromised accounts, stolen data, and serious business disruptions.
The key takeaway? Every suspicious link, attachment, or redirect needs to be analyzed before it can cause harm. A single overlooked phishing attempt can lead to credential theft, ransomware infections, and unauthorized access to sensitive business data.
With tools like ANY.RUN’s Interactive Sandbox, you can:
✔️ Analyze phishing links and malware in a safe, controlled environment
✔️ Detect hidden scripts, redirects, and suspicious network activity
✔️ Get real-time threat intelligence to prevent costly breaches
Don’t wait until it’s too late. Start your 14-day free trial of ANY.RUN today and keep your business secure.
