The recent surge in sophisticated phishing campaigns targeting SaaS environments has laid bare the evolving tactics leveraged by cybercriminals—particularly the abuse of reputable cloud services and the subversion of multi-factor authentication (MFA) controls. In late 2024 and early 2025, the Darktrace Security Operations Center (SOC) provided a comprehensive analysis of separate but strikingly similar SaaS account compromises, uncovering substantial evidence of a larger, coordinated phishing campaign. Critical to these operations was the fusion of legitimate tools—like Milanote, a project collaboration platform—with advanced Adversary-in-the-Middle (AitM) phishing kits such as Tycoon 2FA, allowing attackers to circumvent both user awareness efforts and technical defenses.
These legitimate services often fall into what security analysts term “free content senders”: platforms that allow bulk email sending, often from fixed, validated domains (e.g., support@milanote.com), but behind these, attackers can freely tailor content and subject lines. While this customization can, in theory, tip off modern email gateways, the consistent structure and sender reputation often enable phishers to slip through undetected. Notably, the immutable aspects of these platforms—like reply addresses or trusted unsubscribe links—further complicate detection.
Crucially, while emails originated from a recognizable Milanote address and contained various legitimate Milanote links, they also embedded a singular malicious payload—an ostensibly routine invitation to a Milanote board, which, when clicked, redirected users to a credential harvesting site cleverly hosted within Milanote's platform. Such blending of genuine and malicious links serves both to disarm suspicion and to evade automated anti-phishing tools that might otherwise block the entire message.
When a targeted victim submits credentials on a carefully crafted fake login page (styling itself after Microsoft or Google, for example), Tycoon 2FA relays responses to and from the legitimate service, capturing the authentication flow—including any one-time passwords (OTP) or push notifications associated with MFA. Once session cookies have been stolen, they are immediately usable by the attacker to gain direct, authenticated access to cloud services without further need for re-authentication, nullifying one of the cornerstones of modern account security.
Additionally, because the initial credential harvester is often hosted on the trusted Milanote platform, it can circumvent security solutions whitelisted for business continuity or because Milanote is a known-good sender in the environment. Only with sophisticated behavioral analysis—flagging anomalies such as “first time recipient,” “unknown sender,” or links to previously unseen file storage services—are solutions like Darktrace able to precisely identify and block the true threat, while leaving legitimate content accessible.
Compounding the risk, once an attacker gains access, common persistence tactics include the creation of new inbox rules designed to delete or redirect any messages containing references to “Milanote” or other aspects of the attack, preventing both automatic alerts and manual user discovery of compromise.
In one highlighted incident, the compromised user account was disabled within three minutes of suspicious activity, affording the client organization time to reset credentials, close out active sessions, and fully eject the attacker from all platforms. The incident response included deleting malicious inbox rules and providing a full activity log for post-mortem analysis.
The technical evolution of Tycoon 2FA is notable: recent iterations introduce deliberate obfuscations to prevent defenders from performing forensic analysis, including restrictions on text copying, disabled right-click functionality, and anti-analysis code intended to block automated tools.
By focusing on the behavioral baseline of both user and system activity, Darktrace’s solution was able to:
Enlisting cloud providers and SaaS vendors as partners in cyber defense—via improved telemetry, enhanced API logging, and streamlined incident response channels—will be vital. At the same time, robust user education remains essential; while many employees are aware of generic invoice scams or credential phishing lures, more targeted and contextually-savvy campaigns—such as the “new agreement” Milanote ploy—will continue to claim victims unless staff are coached to scrutinize even seemingly benign interactions.
Most importantly, as business continues to migrate into the cloud and global collaboration platforms, every trusted service may one day serve as a Trojan horse. Companies like Darktrace, blending anomaly detection with guided response, demonstrate a pragmatic path forward, but the arms race is far from over. Continuous vigilance, partnership with cloud service vendors, and relentless refinement of both technical and human defenses are necessary to keep pace with adversaries who thrive on trust.
Stakeholders at every level—from SOC teams to business users—must now treat every new platform invitation, every document share, as a potential vector, examining not just what is sent but how and by whom. Only by combining world-class detection with user empowerment can organizations defend the porous, ever-shifting boundaries of the cloud workspace.
For more detailed technical analysis, see Darktrace’s 2024 Annual Threat Report and referenced primary research on Tycoon 2FA and related phishing kit methodologies.
Source: Darktrace Boosting Security with Azure Virtual Network TAP Traffic Mirroring
Abuse of Legitimate SaaS Platforms in Modern Phishing
Trust as a Vulnerability
Threat actors are increasingly exploiting widely recognized business tools to craft convincing social engineering attacks. According to Darktrace’s 2024 Annual Threat Report, platforms like Milanote are prime targets in these campaigns, offering attackers established reputations and trusted domains to mask their intent. This method enhances the success rate of phishing campaigns by making malicious emails appear as benign, trusted communications that can bypass traditional security filters.These legitimate services often fall into what security analysts term “free content senders”: platforms that allow bulk email sending, often from fixed, validated domains (e.g., support@milanote.com), but behind these, attackers can freely tailor content and subject lines. While this customization can, in theory, tip off modern email gateways, the consistent structure and sender reputation often enable phishers to slip through undetected. Notably, the immutable aspects of these platforms—like reply addresses or trusted unsubscribe links—further complicate detection.
Milanote as a Phishing Vector
In January 2025, Darktrace observed a burst of phishing activity centered around Milanote. Attackers targeted multiple users within a single organization by referencing a supposed “new agreement”—a tactic designed to evoke curiosity while maintaining a non-threatening, businesslike tone. These emails were structured to appear both familiar and urgent, referencing internal colleagues and departmental processes, subtly pressuring recipients into taking action while not triggering alarm bells associated with more generic phishing tactics.Crucially, while emails originated from a recognizable Milanote address and contained various legitimate Milanote links, they also embedded a singular malicious payload—an ostensibly routine invitation to a Milanote board, which, when clicked, redirected users to a credential harvesting site cleverly hosted within Milanote's platform. Such blending of genuine and malicious links serves both to disarm suspicion and to evade automated anti-phishing tools that might otherwise block the entire message.
Advanced AitM Phishing Kits: Tycoon 2FA and the Bypass of MFA
Anatomy of Tycoon 2FA
The Tycoon 2FA kit, first reported in August 2023 and rapidly evolving ever since, represents a new breed of AitM (Adversary-in-the-Middle) attack kits distributed through the growing Phishing-as-a-Service (PhaaS) underground economy. Its central innovation is the ability to intercept not just credentials but the session cookies granted after successful MFA, allowing attackers to impersonate users even after password resets or key changes.When a targeted victim submits credentials on a carefully crafted fake login page (styling itself after Microsoft or Google, for example), Tycoon 2FA relays responses to and from the legitimate service, capturing the authentication flow—including any one-time passwords (OTP) or push notifications associated with MFA. Once session cookies have been stolen, they are immediately usable by the attacker to gain direct, authenticated access to cloud services without further need for re-authentication, nullifying one of the cornerstones of modern account security.
The Multi-Vector Kill Chain
Darktrace mapped the complete kill chain observed in these campaign variants:- Initial Phishing Contact: Users received a Milanote-based invitation, with messages tailored to evoke interest in a plausible document (“new agreement”).
- Embedded Credential Harvester: The “accept invitation” link routed unsuspecting users to a Milanote-hosted board, which in turn linked out to a third-party credential harvesting portal.
- Real-Time AitM Redirects: After harvesting credentials, users were directed through a Cloudflare Turnstile challenge—designed to deflect automated analysis tools—before being funneled to fake login pages that simulated the target organization’s SSO portals or well-known cloud providers.
- Session Hijacking and Post-Compromise Activity: Once credentials and session tokens were stolen, attackers immediately attempted to log in, often from anonymized or VPN-sourced IP addresses, triggering rare event detections in both Darktrace and Microsoft’s native monitoring.
Defensive Gaps Exploited
The Challenge for Security Tools
One core reason these attacks are successful is the blending of legitimate infrastructure and content with malicious payloads. Many email security tools rely on sender/domain reputation, structural analysis, or link scanning; when nearly all links and sender addresses in an email are legitimate—and only one is not—security tools may struggle to differentiate a benign business process from subversive activity.Additionally, because the initial credential harvester is often hosted on the trusted Milanote platform, it can circumvent security solutions whitelisted for business continuity or because Milanote is a known-good sender in the environment. Only with sophisticated behavioral analysis—flagging anomalies such as “first time recipient,” “unknown sender,” or links to previously unseen file storage services—are solutions like Darktrace able to precisely identify and block the true threat, while leaving legitimate content accessible.
The Limitations of MFA
While MFA adoption is widely recognized as a crucial defense, the Tycoon 2FA kit illustrates why it is no longer sufficient in isolation. By intercepting the MFA flow and capturing session cookies, attackers can invisibly “replay” valid logins from entirely different geographies, bypassing most native security policies. In multiple Darktrace investigations, subsequent malicious activity was observed from US-based IPs (including addresses tied to the Hide My Ass (HMA) VPN service), while the legitimate user continued to operate from Germany.Compounding the risk, once an attacker gains access, common persistence tactics include the creation of new inbox rules designed to delete or redirect any messages containing references to “Milanote” or other aspects of the attack, preventing both automatic alerts and manual user discovery of compromise.
Behavioral Analytics and Autonomous Response: Darktrace’s Playbook
Multi-Layered Alerting and Correlation
Darktrace’s layered approach employs anomaly detection across email, network, and identity layers:- Email Layer: Detects structural anomalies (new sender, link rarity, surge patterns) and unique link-to-file storage relationships.
- Network Layer: Analyzes outbound DNS queries and communications to known malicious domains (e.g., Tycoon 2FA infrastructure).
- Identity Layer: Flags rare logins from new geographies, simultaneous session overlaps, and unusual SaaS activity (modification of inbox rules, excessive email access, etc.).
Autonomous, Surgical Response
Unlike many legacy solutions, Darktrace’s Autonomous Response doesn’t simply quarantine entire accounts or block all mail from suspect domains—a blunt-force approach that too often interrupts critical business processes. Instead, it precisely disables only the affected accounts for a limited window, blocks individual malicious links, and allows legitimate activity to continue until the incident is fully remediated.In one highlighted incident, the compromised user account was disabled within three minutes of suspicious activity, affording the client organization time to reset credentials, close out active sessions, and fully eject the attacker from all platforms. The incident response included deleting malicious inbox rules and providing a full activity log for post-mortem analysis.
A Broader Campaign: Evidence of Global Operations
Follow-on investigations revealed that similar attack patterns—some with nearly identical naming conventions for malicious inbox rules (“GFH,” “GVB”)—were observed in other Darktrace-protected environments in the preceding months. These attacks leveraged emails across multiple languages, including Spanish and Portuguese, and used consistent phishing lures and URLs. OSINT sources and sandbox analysis corroborated the use of Tycoon 2FA in these campaigns, as indicated by payload linking structures and backend domain intelligence.The technical evolution of Tycoon 2FA is notable: recent iterations introduce deliberate obfuscations to prevent defenders from performing forensic analysis, including restrictions on text copying, disabled right-click functionality, and anti-analysis code intended to block automated tools.
Critical Analysis: Strengths, Weaknesses, and Implications
Strengths of Detection and Response
The Darktrace case studies underscore the value of anomaly-based detection—particularly for SaaS- and cloud-native businesses already defaulting to whitelisting trusted platforms. Traditional signature and rule-based tools, though still valuable, are easily circumvented by attackers willing to “live off the land” by abusing legitimate platforms for malicious ends.By focusing on the behavioral baseline of both user and system activity, Darktrace’s solution was able to:
- Detect the moment an unusual sender began distributing plausible but unfamiliar content.
- Pinpoint the presence of novel link-to-storage relationships never before seen in the environment.
- Correlate rare, geographically distant login activity matching the timeline of email interaction and subsequent inbox manipulation.
Persistent and Emerging Weaknesses
Despite these successes, gaps remain:- Reliance on Anomaly Detection: Behavioral approaches, while powerful, may be less effective in “noisy” environments or with highly variable business workflows. False positives, though reduced by machine learning, can lead SOC teams to overlook subtle threats amid alert fatigue.
- Delayed Automation: In cases where organizations have not fully enabled autonomous response, malicious actors may still have crucial minutes or hours to entrench themselves before humans intervene.
- Evasion and Obfuscation: Kits like Tycoon 2FA are evolving rapidly, with each iteration introducing new stealth mechanisms specifically to foil automated and human-driven forensics.
The Fight Against Legitimate Platform Abuse
The central challenge in the current security landscape is the normalization of “shadow IT”—legitimate platforms used for illegitimate ends. As enterprise workflows become more distributed, especially with the proliferation of remote and hybrid work, distinguishing between unorthodox but harmless usage and true compromise requires far finer granularity than most organizations possess.Enlisting cloud providers and SaaS vendors as partners in cyber defense—via improved telemetry, enhanced API logging, and streamlined incident response channels—will be vital. At the same time, robust user education remains essential; while many employees are aware of generic invoice scams or credential phishing lures, more targeted and contextually-savvy campaigns—such as the “new agreement” Milanote ploy—will continue to claim victims unless staff are coached to scrutinize even seemingly benign interactions.
Practical Guidance for Security Teams
Drawing from the lessons of these real-world cases, organizations can take several actionable steps:1. Harden Behavioral Baselines
Implement behavioral analytics capable of mapping both individual and collective activity—across email, network, and SaaS identity layers. Periodically review and recalibrate detection models based on genuine business process changes.2. Enforce Segmented and Responsive Controls
Enable automated, time-limited response actions (such as account disabling or workflow containment) that restrict attacker dwell time while avoiding major business disruption.3. Monitor for Policy Manipulation
Actively audit inbox rules, email forwarding policies, and new mailbox configurations for signs of suspicious or automated interference, especially following anomalous login events.4. Educate Beyond the Basics
Move phishing awareness training beyond the tropes of “urgency” and “missed invoices” to address social engineering through trusted platforms, document invitations, and project collaboration tools.5. Collaborate Across Vendors and Platforms
Establish playbooks and incident response workflows in partnership with SaaS providers, ensuring that evidence can be preserved, sessions terminated, and backdoors (like malicious inbox rules) closed swiftly.Conclusion: Adapting to the New Normal
The abuse of reputable SaaS platforms for phishing—combined with advanced, rapidly evolving AitM kits like Tycoon 2FA—underscores a critical inflection point for enterprise security. While measures like MFA remain essential, they can be undermined by attackers targeting the session layer directly. Security programs must therefore shift towards holistic context analysis, immediate incident correlation, and—where possible—surgical, automated containment.Most importantly, as business continues to migrate into the cloud and global collaboration platforms, every trusted service may one day serve as a Trojan horse. Companies like Darktrace, blending anomaly detection with guided response, demonstrate a pragmatic path forward, but the arms race is far from over. Continuous vigilance, partnership with cloud service vendors, and relentless refinement of both technical and human defenses are necessary to keep pace with adversaries who thrive on trust.
Stakeholders at every level—from SOC teams to business users—must now treat every new platform invitation, every document share, as a potential vector, examining not just what is sent but how and by whom. Only by combining world-class detection with user empowerment can organizations defend the porous, ever-shifting boundaries of the cloud workspace.
For more detailed technical analysis, see Darktrace’s 2024 Annual Threat Report and referenced primary research on Tycoon 2FA and related phishing kit methodologies.
Source: Darktrace Boosting Security with Azure Virtual Network TAP Traffic Mirroring
