Kits for phishing attacks are rapidly evolving, with threat actors employing sophisticated methods like Tycoon2FA, EvilProxy, and Sneaky2FA to bypass two-factor authentication and mimic trusted platforms such as Microsoft 365 and Cloudflare. These tactics are designed to steal user credentials without raising immediate suspicions.
However, security operations center (SOC) teams and threat intelligence professionals do not need to passively await alerts. A more proactive approach exists to identify and block these threats before they can compromise systems.
The most effective method for uncovering emerging phishing campaigns involves utilizing threat intelligence tools. These solutions provide immediate access to a vast array of indicators, including files, URLs, domains, and behavioral patterns, derived from live analyses of malware and phishing samples. This data is compiled from analyses conducted by experts across numerous companies within interactive sandboxes. Security teams can leverage this information to search for current indicators of compromise (IOCs), indicators of behavior (IOBs), and indicators of attack (IOAs), monitor campaign activities, extract relevant artifacts, and seamlessly integrate them into their existing detection systems.
Let’s examine how this process works in practice with specific examples.
Tycoon2FA: Identifying Active Phishing Campaigns
To track real-world sandbox sessions involving Tycoon2FA, a phishing kit specifically engineered to steal Microsoft credentials and circumvent two-factor authentication, one can employ a targeted query. For instance, to focus on attacks targeting users in Germany, a query such as “threatName:\”tycoon\” AND submissionCountry:\”de\”” can be executed. Setting the search period to the past three days ensures the retrieval of the most current information.
Within moments, the threat intelligence lookup tool will present sandbox sessions where Tycoon2FA samples have been analyzed by users located in Germany. These analyses offer a detailed view of the attack lifecycle, allowing analysts to respond with greater speed and confidence using tangible data from actual attacks, rather than relying solely on generic threat signatures. Furthermore, it is possible to download a JSON file containing all session links, extracted URLs, and file hashes, providing actionable indicators to enrich detection rules or block lists proactively.
EvilProxy: Discovering Malicious Domains Quickly
EvilProxy is notorious for its strategy of exploiting legitimate cloud services to host its phishing infrastructure, making its campaigns particularly challenging to detect with conventional methods. A prevalent tactic involves the abuse of Cloudflare Workers to generate a large volume of subdomains.
To monitor these campaigns, a query targeting a known pattern of EvilProxy activity, specifically the misuse of .workers.dev for hosting phishing pages, can be run in the threat intelligence lookup. The query “domainName:\”.workers.dev\” AND threatLevel:\”malicious\”” allows for the identification of malicious domains associated with these attacks. After executing the search, the Domains tab will display a list of domains extracted from sandbox sessions, many of which are directly linked to EvilProxy samples. Access to such up-to-date infrastructure indicators enables security teams to block threats at an earlier stage, refine detection rules, and significantly reduce the time spent on manual analysis, especially when these domains are already active in ongoing attacks.
Sneaky2FA: Detecting Reused Elements Across Campaigns
While attackers frequently alter domains, IP addresses, and file names to evade detection, certain elements often remain consistent across campaigns utilizing phishing kits like Sneaky2FA. These reusable components can include favicon images, login page templates, JavaScript snippets, or brand assets such as logos. This consistency arises because the assets provided by phishing kits are frequently reused or minimally customized between different campaigns. Threat actors often copy and paste elements from one target to another to save time, providing defenders with a crucial, albeit small, window of opportunity.
For example, Sneaky2FA commonly employs spoofed Microsoft 365 login pages, often featuring the same Microsoft logo. By searching for the SHA-256 hash of this logo within the threat intelligence lookup, it’s possible to uncover new phishing samples associated with this kit. Even if attackers change the domain or obfuscate other parts of the phishing page, static artifacts like the logo often remain unaltered, serving as valuable indicators for identifying ongoing campaigns that might otherwise evade standard network detection methods. This strategy helps in detecting phishing activity that appears novel but is essentially derived from the same underlying kit, enabling proactive defense against attackers who reuse successful components.
Enhancing Detection with Real-World Phishing Intelligence
Phishing kits such as Tycoon2FA, EvilProxy, and Sneaky2FA are continually evolving, but their presence can be detected by analyzing their operational footprints. By leveraging threat intelligence lookup tools, security teams can transition from a reactive stance to a proactive one, uncovering new indicators, tracking attacker infrastructure, and identifying reused assets before they can impact the organization’s environment.
This proactive approach leads to earlier threat detection and more rapid containment, thereby reducing the risk of breaches and minimizing potential damage. It fosters stronger protection mechanisms based on real-world data, improving the organization’s overall security posture. Faster response times contribute to less operational disruption and lower incident handling costs, while enhanced detection accuracy ensures fewer threats are missed, leading to improved SOC efficiency.
