Tycoon 2FA credential phishing with cloned internal employee login

Sublime's Attack Spotlight series highlights real-world email threats and the methods used by adversaries, such as the Tycoon 2FA phishing-as-a-service (PhaaS) attacks targeting Microsoft 365 users with credential phishing schemes. These attacks often employ adversary-in-the-middle (AITM) tactics to mimic legitimate company login pages, leveraging tools and templates sold by PhaaS providers to rapidly create and modify phishing campaigns. A recently detected attack used a seemingly innocuous email about updated employee policies, which included a PDF with a QR code leading to a fake login page designed to steal user credentials. Sublime's AI-powered detection engine identified and thwarted this attack by recognizing signals like suspicious QR codes, blank email bodies, and newly registered sender domains. The series emphasizes the importance of adaptive email security platforms that utilize AI and machine learning to counter evolving phishing strategies.