New Tykit Phishing Kit Mimics Microsoft 365 Login Pages to Steal Corporate Account Credentials

A sophisticated phishing kit dubbed Tykit, which impersonates Microsoft 365 login pages to harvest corporate credentials.

First detected in May 2025, the kit has surged in activity during September and October, exploiting SVG files as a stealthy delivery mechanism.

Unlike basic phishing lures, Tykit demonstrates maturity through consistent obfuscation techniques and multi-stage command-and-control (C2) interactions, making it a potent tool for credential theft across global organizations.

The kit’s rise aligns with a broader spike in SVG-based attacks, where seemingly innocuous image files embed JavaScript payloads. These scripts use XOR encoding to rebuild malicious code, which executes via the dangerous eval() function to redirect victims to fake login sites.

Cybersecurity firm ANY.RUN has identified Tykit, a mature phishing-as-a-service (PhaaS) kit that impersonates Microsoft 365 login pages to capture corporate credentials through adversary-in-the-middle (AitM) techniques.

Tykit Phishing Kit Mimics Microsoft 365 Login

Tykit emerged in sandbox environments in early May 2025, with researchers pivoting from a single suspicious SVG (SHA256: a7184bef39523bef32683ef7af440a5b2235e83e7fb83c6b7ee5f08286731892) to over 189 related sessions.

Domains like loginmicr0sft0nlineeckaf[.]52632651246148569845521065[.]cc host the phishing pages, often appending Base64-encoded victim emails via the “?s=” parameter. Exfiltration targets servers on segy[.]cc variants, sending staged POST requests to /api/validate and /api/login.

This infrastructure spans templated domains resembling domain-generation algorithms, with patterns like ^loginmicr(o|0)s.?.([a-z]+)?\d+.cc$ for phishing hosts and ^segy?. for C2.

The kit’s consistency, unchanged client-side logic, and obfuscation suggest organized operators distributing it widely, evading detection through basic anti-debugging like blocking developer tools and context menus.

Tykit’s flow begins with an SVG prompting a fake “phone number check,” which accepts any input to proceed.

The process starts by sending you to a CAPTCHA page that uses Cloudflare Turnstile to block bots. After that, it loads a page that looks like Microsoft 365. In the background, it checks emails using JSON data, which includes session keys and redirects.

Upon credential entry, obfuscated JavaScript exfiltrates data to /api/login, including expired JWT tokens for authenticity.

Server responses dictate outcomes: success renders benign HTML to mask theft, errors show “incorrect password” prompts, and “info” status triggers logging to /x.php. This adversary-in-the-middle (AitM) setup bypasses basic MFA, stealing emails, passwords, and tokens in JSON format.

Cyber threats hit diverse sectors, including construction, IT, finance, government, telecom, real estate, and education, primarily in the US, Canada, LATAM, EMEA, Southeast Asia, and the Middle East.

Compromises enable account takeovers, data exfiltration from SaaS apps, and lateral movement, posing risks of regulatory fines and trust erosion.

To counter it, organizations should inspect SVG content with sandboxing and content disarmament, adopt phishing-resistant MFA like FIDO2, and monitor IOCs such as eval() calls, Base64 parameters, and suspicious domains.

SIEM rules for /api/validate patterns, combined with user training on anomalous “images,” can disrupt campaigns early. As phishing evolves, Tykit underscores the need for proactive threat hunting to stay ahead of these “typical” yet effective kits.

Expand Your Threat Coverage with Fresh IOCs from real-time Cyberthreats => Try Now