I’m sorry to have to tell you this, but if you didn’t already realize, you are under attack. No matter the operating system you use, the applications you rely upon or the faith you have in Big Tech to protect you, attackers are coming for your accounts and your data. The higher the profile of those accounts, the more valuable they are and the more hacking scrutiny they are under. Which is why we see security warnings involving such things as Apple ID attacks, X social media data leaks, and both Android and iPhone smartphone FBI defense advice. It is, however, Gmail and Microsoft that are most valued by hackers for the data that a successful account hack can expose. News of the evolution of an already perilous threat that can bypass 2FA protections that both Google and Microsoft have in place is, therefore, naturally of huge concern. Here’s what you need to know and what both tech giants say you must do right now.
The Evolution Of Tycoon 2FA
Tycoon 2FA is not a new threat, far from it, in fact. As I reported March 26, 2024, the adversary-in-the-middle attack kit first came to the attention of threat intelligence experts in 2023. In March 2024, however, the criminal developers behind it turned the threat dial up a notch or two by releasing an update that specifically targeted Microsoft 365 and Gmail account holders and employed advanced obfuscation and anti-detection capabilities.
Those attackers have, it seems, now turned the dial to 11.
New intelligence from security researchers at Trustwave has revealed even more sophisticated evasion techniques being deployed against Gmail and Microsoft users in the latest 2025 attacks. According to the new report’s authors, Trustwave’s Phil Hay and Rodel Mendrez, these include “using a custom CAPTCHA rendered via HTML5 canvas, invisible Unicode characters in obfuscated JavaScript, and anti-debugging scripts to thwart inspection.”
While conceding that none of these techniques are groundbreaking, individually at least, combining them does pose a new threat that makes detection and response even more difficult. Custom CAPTCHA visuals in HTMLK5, for example, can add legitimacy to phishing attempts, Unicode and Proxy-based obfuscation can delay detection, and anti-debugging behaviors hide malicious activity from automated tools.
Do This To Protect Against 2FA Bypass Attacks Right Now
Trustwave recommended that security teams should “consider behavior-based monitoring, browser sandboxing, and a deeper inspection of JavaScript patterns” in order to stay one step ahead of the Tycoon 2FA attackers. Google and Microsoft, however, have some more straightforward advice for ordinary users when it comes to protecting themselves and their valuable accounts from the 2FA bypass hackers.
The simple truth is that, from the end user defensive posture perspective, the mitigation advice when it comes to Tycoon 2FA attacks is the same now as it was in 2024, namely, use passkeys.
A Google spokesperson said that “passkeys substantially reduce the impact of phishing and other social engineering attacks. Google research has shown that security keys provide a stronger protection against automated bots, bulk phishing attacks, and targeted attacks than SMS, app-based one-time passwords, and other forms of traditional two-factor authentication.”
Meanwhile, a Microsoft spokesperson said, “As a security best practice, we encourage customers to always practice good computing habits online, including exercising caution when clicking on links to web pages, opening unknown files, or accepting file transfers. In addition, we recommend switching to Passkeys wherever possible and using authentication apps such as Microsoft Authenticator, which warn users about potential phishing attempts.”
So, there you have it: use passkeys to protect your Gmail and Microsoft accounts, not only against this 2FA bypass attack but also against other potential threats. What are you waiting for, do it now.
