Identity Crisis – The Rise of PhaaS & MFA Bypass

In March 2024, cybersecurity researchers at Sekoia.io discovered a massive surge in the Tycoon2FA PhaaS platform. This kit was used to target thousands of Microsoft 365 and Gmail users by proxying legitimate login pages in real-time. The campaign successfully bypassed MFA for high-value targets by stealing session cookies instead of just passwords. This incident demonstrated that even low-skilled attackers can now purchase the ability to penetrate hardened corporate environments for a small monthly subscription.

How PhaaS Bypasses Your MFA

Unlike traditional phishing that steals static passwords, PhaaS kits use a transparent proxy:

1. Adversary-in-the-Middle (AiTM): The attacker sits between the user and the real service (e.g., Microsoft 365). The user enters their credentials and MFA code into a fake site that looks identical to the real one.

2. Session Token Theft: The PhaaS kit passes the user’s data to the real site, completes the login, and then intercepts the authenticated session cookie.

3. Instant Hijack: The attacker uses this stolen cookie to enter the user’s account directly, completely bypassing the need for a password or a second code for the duration of that session.

Strategic Defense: Hardening the Identity Perimeter

To counter commoditised PhaaS kits, organisations must move toward phishing-resistant identity architectures.

Mandate Phishing-Resistant MFA

Standard MFA (SMS, Voice, and standard Push notifications) is no longer a “silver bullet.”

1. Implement FIDO2/Passkeys: Transition critical users to hardware security keys (e.g., YubiKey) or device-bound passkeys. These methods require a physical “handshake” between the device and the service that cannot be proxied by a PhaaS kit.

2. Restrict “Basic” MFA: Phase out SMS and TOTP (authenticator codes) for high-privilege accounts, as these are the primary targets for AiTM kits.

Enforce Conditional Access & Token Discipline

If a token is stolen, its value must be minimised.

1. Restrict Session Lifespans: Reduce the duration of “Remember Me” sessions for sensitive applications. Shorter lifespans mean a stolen token expires before the attacker can cause significant damage.

2. Device Compliance Checks: Enforce policies that require a device to be “Known” or “Compliant” (Managed by Intune/Jamf) before a session token is valid. An attacker using a stolen token on an unmanaged device will be blocked.

Monitor for Identity Anomalies

Detect the breach at the point of authentication.

1. Impossible Travel Alerts: Flag logins where the physical distance between two consecutive access points is impossible for a human to travel (e.g., a login from Lagos and another from London within 30 minutes).