A DNS Investigation of the Typhoon 2FA Phishing Kit | WhoisXML API

Threat Reports

A DNS Investigation of the Typhoon 2FA Phishing Kit

Phishing-as-a-service (PhaaS) and similar offerings have made cybercrime accessible to anyone willing to risk incarceration in exchange for quick-and-easy money. And the creators of Typhoon 2FA, a phishing kit said to be able to bypass two-factor authentication (2FA) on Microsoft 365 and Google accounts are taking advantage of that fact.1

A total of 103 Typhoon 2FA indicators of compromise (IoCs) have been identified to date.2 We found more possibly connected artifacts using our comprehensive DNS intelligence sources, including:

  • 288 registrant email address-connected domains
  • 110 registrant organization-connected domains
  • 262 email-connected domains
  • 21 IP addresses, all of which turned out to be malicious
  • 137 string-connected domains
  • 3,223 string-connected subdomains

Download a sample of the threat research materials now or contact sales to discuss your intelligence needs for threat detection and response. 

  • [1] https://www.bleepingcomputer.com/news/security/new-mfa-bypassing-phishing-kit-targets-microsoft-365-gmail-accounts/
  • [2] https://github.com/SEKOIA-IO/Community/blob/main/IOCs/tycoon2fa/tycoon2fa_iocs_20240325.csv
Try our WhoisXML API for free
Get started