Dadsec Hackers Exploit Tycoon2FA to Breach Office365

A coordinated phishing campaign exploiting shared cybercriminal infrastructure has emerged as a growing threat to enterprise Microsoft 365 users, according to researchers at Trustwave. The operation connects the Tycoon2FA Phishing-as-a-Service (PhaaS) platform—active since August 2023—with the threat group Storm-1575, also known as Dadsec.

Attackers employ adversary-in-the-middle (AiTM) techniques to bypass multi-factor authentication, distributing phishing emails embedded with malicious links or files. Victims are redirected through compromised domains, ultimately landing on phishing pages protected by evasive measures such as Cloudflare Turnstile and anti-analysis scripts.

The infrastructure features PHP payloads—including “res444.php,” “cllascio.php,” and “.000.php”—that deliver encrypted content using layered decryption routines. These pages harvest credentials and session tokens, granting persistent access even after password resets.

Trustwave analysts identified thousands of phishing pages tied to Tycoon2FA since July 2024, with consistent HTML fingerprints and JavaScript-based redirection. The campaign aggregates victim metadata and transmits it to command servers using AES encryption.