In a separate but related report, Trustwave says it has identified a dramatic increase in phishing attacks using malicious SVG (Scalable Vector Graphics) files, driven by PhaaS platforms like Tycoon2FA, Mamba2FA, and Sneaky2FA. Trustwave underlines that while these evasion techniques aren't novel individually, they make a big difference when combined, complicating detection and analysis that can uncover phishing infrastructure and lead to takedowns and disruption. The third major change is the inclusion of anti-debugging JavaScript that detects browser automation tools like PhantomJS and Burp Suite and blocks certain actions associated with analysis. A case study presented in the Trustwave report concerns a fake Microsoft Teams voicemail alert with an SVG file attachment disguised as an audio message. The first highlighted change is the use of invisible Unicode characters to hide binary data within JavaScript, as first reported by Juniper Threat Labs in February. The function of the malicious code is to redirect the message recipients to Microsoft 365 phishing pages that steal their account credentials. Bill Toulas Bill Toulas is a tech writer and infosec news reporter with over a decade of experience working on various online publications, covering open-source, Linux, malware, data breach incidents, and hacks. Phishing-as-a-service (PhaaS) platform Tycoon2FA, known for bypassing multi-factor authentication on Microsoft 365 and Gmail accounts, has received updates that improve its stealth and evasion capabilities. Tycoon2FA was discovered in October 2023 by Sekoia researchers, who later reported significant updates on the phishing kit that increased its sophistication and effectiveness. The Malicious SVGs used in the phishing attacks are for images disguised as voice messages, logos, or cloud document icons. Trustwave now reports that the Tycoon 2FA threat actors have added several improvements that bolster the kit's ability to bypass detection and endpoint security protections. Likely, the creators of Tycoon 2FA opted for this change to evade fingerprinting and flagging by domain reputation systems and gain better customization control over the page's content. The cybersecurity firm reports a steep rise of 1,800% from April 2024 to March 2025, indicating a clear shift in tactics favoring the particular file format.
This Cyber News was published on www.bleepingcomputer.com. Publication date: Sat, 12 Apr 2025 16:10:13 +0000