The Tycoon2FA phishing-as-a-service platform has received updates that enhance its ability to evade detection while targeting Microsoft 365 and Gmail users, according to Trustwave.
The attackers now embed hidden binary data in JavaScript using invisible Unicode characters, making it difficult for traditional detection methods to spot the malicious code.
They've also replaced Cloudflare’s Turnstile CAPTCHA with a custom HTML5-based version to avoid domain reputation tracking and gain better customization.
Additionally, the phishing kit now includes anti-debugging JavaScript that can detect tools like Burp Suite and redirect security bots to decoy pages.
Trustwave also reports an 1,800% spike in phishing attacks using malicious SVG files, which often disguise themselves as voice messages or document icons and execute JavaScript to steal login credentials.
These developments emphasize the need for stronger email security practices and phishing-resistant multi-factor authentication like FIDO2 keys.
Read more...
Logging you in...
Loading IntenseDebate Comments...