Researchers at ANY.RUN have observed a new phishing kit stealing credentials from hundreds of corporate Microsoft 365 accounts globally.
The phishing kit, which ANY.RUN has labelled “Tykit” was first observed in May this year, but its activity has increased to a peak throughout September and October. The threat actors behind the attacks have cast a wide net, targeting construction, professional services, IT, finance, government, telecom, real estate, and education organizations across the US, Canada, Latin America, EMEA, South East Asia, and the Middle East.
“Given the wide geographic and industry spread and the TTPs that match standard phishing kit behavior, the threat has been active for quite some time,” ANY.RUN says.
Tykit attacks encourage users to open a malicious SVG file, which executes client-side code in several stages, before finally directing users to a fake Microsoft 365 login page. Here, the victims are prompted to enter their credentials—which are then sent directly to the attacker.
If successful, a Tykit campaign can enable attackers to take over their victims’ Microsoft 365 accounts, steal data from mailboxes, drives, and connected SaaS apps, and move laterally through the company network to steal more data or cause further damage.
The attack leverages several evasion tactics to evade basic detection techniques, say the research team behind the discovery. These include hiding code in SVGs and layering redirects.
“The page implements a fairly involved execution mechanism: the payload is obfuscated, there are basic (nonetheless effective) anti-debugging measures, and the exfiltration logic runs through several staged steps,” ANY.RUN explains.
Despite these evasive tactics, the researchers were able to analyze the structure of the attack’s payload and develop a set of rules that allow security teams to detect the threat at various stages of its implementation, including detecting the initial malicious SVG file and the malicious domains hosting the phishing pages.
“Tykit doesn’t reinvent phishing, but it shows how small technical tweaks, like hiding code in SVGs or layering redirects, can make attacks harder to catch,” the company adds. “Still, with better visibility and the right tools, teams can stop it before credentials are stolen.”
Prevention Techniques
Most organizations should have a strong email security solution in place to help mitigate phishing threats. However, ANY.RUN recommends that security teams also strengthen their file security in order to stop Tykit attacks, urging teams to make sure their email security tool inspects SVG content, and encouraging them to use Content Disarm and Reconstruction (CDR) to uncover hidden payloads.
Additionally, organizations should switch to phishing-resistant authentication methods, such as FIDO2 or certificate-based MFA, and enforce Conditional Access within their Microsoft 365 environment.
