Public Attribution Overview
Storm-1747 is the cluster designation Microsoft Threat Intelligence has applied to the operator group behind the Tycoon 2FA phishing-as-a-service kit. Sekoia tracks the kit itself across multiple deep dives; Trustwave SpiderLabs has published reverse-proxy artifact analyses; Proofpoint and others have referenced the kit in broader phishing-as-a-service overviews.
This brief is operator-class rather than single-operator. Tycoon 2FA is rented widely, so multiple operators run campaigns using the same kit infrastructure. The defender opportunity is in the kit-side artifacts that survive across customers — they are unusually consistent compared to most phishing kits.
Targeting and Motivation
The kit targets Microsoft 365 credentials and session tokens broadly. Public reporting describes targeting across enterprise verticals without a strong sectoral preference, reflecting the kit's nature as a tool sold to many operators. Downstream use of stolen credentials and session cookies is operator-dependent: some campaigns pivot to BEC-style fraud, others to data theft and extortion, others to access resale.
Phishing TTPs in Detail
The technique is a textbook reverse-proxy AitM:
- **Lure delivery** via email, SMS, or third-party document-sharing platform impersonation. Lures impersonate Microsoft 365, Adobe, DocuSign, and similar SaaS products. - **Redirect chain** through one or more low-reputation intermediate hops to the kit-hosted reverse proxy, often layered through open redirects on legitimate domains for gateway bypass. - **Captcha gating** at the proxy entry to deter automated takedown and security-vendor scanning. - **Reverse-proxy authentication** mirroring Microsoft 365 login pages with high fidelity, including multi-factor challenge handling. - **Session cookie theft** at completion of the authentication exchange. - **Token reuse** from operator infrastructure, typically within minutes of the victim's authentication.
The kit-side artifacts that defenders have hooked into across versions include consistent URL-path components, characteristic JavaScript bundle hashes, and consistent cookie names that the proxy uses to track victim sessions. The exact strings have shifted across kit versions; current values are tracked in Sekoia and Trustwave deep dives and need refresh on the report-publication cadence.
Notable Public Campaigns
Sekoia published a major Tycoon 2FA deep dive in early 2024 and follow-on analyses through the rest of 2024 and into 2025, documenting kit infrastructure rotation and feature additions. Microsoft Threat Intelligence has linked the cluster to specific phishing-as-a-service activity in its blog reporting. Trustwave SpiderLabs has published its own kit analyses. None of these reports name specific victim organizations broadly; the kit's customer base is large enough that public victim attribution rarely follows.
Defender Hooks
The signal layers are the same as for the broader AitM detection problem, with kit-specific tightening:
- **DNS and HTTP watchlists** keyed to current Tycoon URL-path fingerprints from Sekoia or Trustwave reports. Match outbound DNS or HTTP from managed endpoints. The watchlists need refresh on the report-publication cadence. - **Entra non-interactive correlation** as described in the broader AitM detection writeup: an interactive sign-in followed within minutes by non-interactive token redemption from a different ASN. - **Defender for Cloud Apps anomaly policies** for unusual ISP on OAuth applications and activity from infrequent countries. Tune to alert-and-hold sessions on high-severity hits. - **Outbound proxy logging** with TLS interception, where in place, for JA3 or JA4 fingerprint matching against current Sekoia-published Tycoon fingerprints.
The detection skeleton below is a Sigma-style HTTP rule applied to a corporate proxy log. The path patterns are illustrative — replace with current values from the most recent kit deep dive before deploying.
# Illustrative Sigma-style rule shape. The path patterns are
# placeholders - replace with current values from the most recent
# Tycoon 2FA deep dive (Sekoia or Trustwave) before use.
title: Outbound HTTP to Suspected Tycoon 2FA Reverse Proxy
status: experimental
description: |
Match outbound HTTP requests from managed endpoints to URL paths
consistent with publicly documented Tycoon 2FA reverse-proxy
schemas. Refresh path patterns on every major kit deep-dive.
logsource:
product: proxy
service: http
detection:
selection:
cs-uri-stem|contains:
- "/REPLACE_WITH_CURRENT_PATH_PATTERN_1/"
- "/REPLACE_WITH_CURRENT_PATH_PATTERN_2/"
condition: selection
fields:
- cs-username
- c-ip
- cs-host
- cs-uri-stem
- sc-status
level: highWhat Has Worked Against Them
Public reporting and defender writeups converge on the same controls:
- **FIDO2 security keys or platform passkeys** on identity-critical accounts. The kit's reverse proxy cannot satisfy a passkey challenge against the legitimate provider's origin. - **Conditional Access policies** that require compliant or hybrid-joined devices on sensitive applications, breaking the chain after token theft because the captured token is not bound to a registered device. - **Fast token revocation runbooks** triggered on the non-interactive ASN-divergence alert, containing incidents inside the first hour. - **Outbound DNS and HTTP filtering** on kit infrastructure when current path patterns are published and watchlisted.
Combinations of these have ended public-incident chains at the credential-theft stage rather than the data-theft stage. The single highest-impact control across multiple defender writeups is phishing-resistant authentication on privileged users.
What Hasn't
- **URL-similarity blocklists** chase domain rotation that the kit performs on a daily-or-faster cadence and arrive late. - **SMS or push MFA** are bypassed routinely by the relay mechanic and confer no practical resistance. - **Brand-only awareness training** addresses the lure but does not address the rest of the chain, which the user has no visibility into. - **Email-side controls alone** miss the technique when the lure arrives by SMS or external-tenant chat.