AiTM Phishing Kits Bypass MFA by Hijacking Credentials and Session Tokens

Darktrace’s Security Operations Center (SOC) in late 2024 and early 2025, cybercriminals have been exploiting legitimate Software-as-a-Service (SaaS) platforms like Milanote to orchestrate sophisticated phishing campaigns.

These attacks, bolstered by the Tycoon 2FA phishing kit, demonstrate an advanced Adversary-in-the-Middle (AiTM) approach that circumvents multi-factor authentication (MFA) protections.

Leveraging Legitimate Services for Stealthy Attacks

By abusing trusted services, threat actors send phishing emails that appear benign, leveraging Milanote’s legitimate email infrastructure to bypass traditional security gateways.

Darktrace identified phishing emails sent to multiple internal users across organizations, with subject lines referencing “new agreements” and internal colleagues to incite curiosity without raising immediate suspicion.

These emails, originating from seemingly legitimate addresses like support@milanote[.]com, contained malicious links leading to credential harvesting pages hosted on Milanote itself, blending malicious intent with trusted domains to deceive recipients.

Tycoon 2FA: A Persistent Threat to SaaS Security

The Tycoon 2FA phishing kit, first ...