Tycoon 2FA and the Rise of Phishing-as-a-Service (PhaaS)

On July 17, 2025, the Security Operations Center (SOC) responded immediately to a security alert triggered by a user who had accessed a suspicious link contained within a phishing email.

The incident was promptly escalated due to a follow-up sign-in attempt that successfully bypassed multi-factor authentication (MFA), highlighting the growing sophistication of phishing-as-a-service (PhaaS) operations and their ability to exploit human and technical vulnerabilities.

A thorough investigation determined that the malicious email originated from a compromised external account with no prior history of communication, as confirmed through a 30-day activity review.

Although user credentials were involved, no unauthorized activity within the environment was observed, and the overall impact to the organization was deemed minimal.

What Happened?

A user inadvertently accessed a phishing website crafted to mimic a legitimate Microsoft login page. The redirection was facilitated through a hijacked educational institution domain, adding to the attack's credibility. The destination domain was relatively new, having been registered only days prior, suggesting potential use in targeted campaigns.

Although the user entered credentials on the spoofed page, a thorough investigation of sign-in activity and associated domains revealed no evidence of lateral movement or further exploitation.

Prompt response actions included account containment, domain blocking, and validation of access logs to ensure no persistence or privilege escalation occurred.

This incident highlights the critical need for continuous threat intelligence monitoring, user education on phishing indicators, and enforcement of zero-trust principles to reduce exposure to credential-harvesting campaigns.

How Was It Addressed?

Incident Response and Containment

After detecting the phishing activity, the Security Operations Center (SOC) carried out a thorough remediation process to fully remove the threat and prevent any further risk to the organization.

Full system scans were conducted on the affected devices to check for and eliminate any traces of malicious activity that might have been missed during the initial response.

To prevent similar attempts in the future, the domains used by the attacker were added to the organization's email blocklist, stopping any further messages from those sources.

In addition, the malicious domains and URLs identified during the investigation were blacklisted in Microsoft Defender for Endpoint to ensure that they cannot be accessed from any device within the environment.

The SOC team also reviewed all emails related to the incident and confirmed that they had either been automatically quarantined or removed by Zero-hour Auto Purge (ZAP).

To further reduce any risk, these emails were manually deleted from inboxes and folders to make sure users couldn’t accidentally interact with them later.

As part of the containment process, the user account involved in the incident was temporarily disabled, and all active sessions, including multi-factor authentication sessions, were revoked to cut off any unauthorized access. Once the environment was confirmed to be secure, the account was restored and the user’s credentials were reset.

Lessons Learned and Improvements

To enhance future defences, several measures were implemented post-incident:
1. Domain and Threat Containment Measures: Malicious domains associated with the phishing campaign were blocked at the network level, Microsoft Defender policies were updated, and all related phishing emails were successfully quarantined to prevent further exposure.
2. Advanced Eradication Tactics: Full system scans were conducted across affected devices, malicious domains were blacklisted, and new detection rules were implemented to enhance visibility and reduce the risk of similar attacks in the future.
3.Security Awareness Reinforcement: Based on the nature of the incident, increased emphasis will be placed on employee-focused phishing simulations and targeted training to address the human element in social engineering threats.

Conclusion

The recent incident highlights the vital role of collaboration and the ongoing need to evolve information security practices. Through a timely response and coordinated effort between the Security Operations Center and Incident Response teams, the situation was quickly contained, and potential escalation was prevented. With the implementation of new protective measures, the organization is now better prepared to defend against similar threats in the future.

The SOCcare project is co-funded by the European Union, alongside our collaborators University POLITEHNICA of Bucharest and NRD Cyber Security and supported by the European Cybersecurity Competence Centre (ECCC) under Grant Agreement No. a101145843.