Overview Over the past few weeks, I have been tracking a credential harvesting campaign that repeatedly abuses newly registered *.contractors domains to deliver Gmail and Microsoft 365/Outlook phishing pages. While the social engineering lures vary including ICANN email verification , document sharing , and account security prompts . The underlying infrastructure, tooling, and execution flow remain consistent Based on analysis of the phishing HTML, JavaScript, and runtime behavior, this activity can be attributed with high confidence to the Tycoon 2FA phishing kit, based on its distinctive MFA aware execution flow, client side obfuscation, and anti-analysis tradecraft. This attribution is supported by distinctive Tycoon specific client side tradecraft, including MFA aware flows, advanced anti-analysis logic, and encrypted runtime loaders, as shown below. Technical Evidence Supporting Tycoon 2FA Attribution Analysis of the extracted HTML and JavaScript reveals multiple Tycoon 2FA specific behaviors that go beyond generic phishing kits. Anti-Analysis & Sandbox Evasion Logic The phishing pages actively detect analysis environments and developer tools, immediately terminating execution or redirecting the user if detected: Additional protections disable common inspection techniques: This multi-layered anti-analysis logic is a well known characteristic of Tycoon 2FA deployments, commonly observed across multiple campaigns leveraging this phishing-as-a-service (PhaaS) framework. Runtime Debugger Detection & Forced Redirect The kit also employs debugger timing detection to identify active inspection and force redirection: This technique is specifically used by Tycoon based phishing frameworks to evade dynamic analysis and sandbox detonation. ICANN Email Verification Lure One of the more recent samples impersonates ICANN (Internet Corporation for Assigned Names and Numbers) and claims that the recipient’s email address must be verified to avoid domain-related disruption. The email states that: The recipient’s email is listed as the owner contact for a domain The address is allegedly unverified or inactive Failure to verify may result in email suspension A verification link is provided, styled to appear ICANN-related. However, hovering over the link reveals that it actually points to attacker controlled infrastructure hosted outside of any legitimate ICANN or registrar domain. In this case, the observed link resolved to hxxps://recontact252.bluvias.de/572pectoral/$anurag@malwr-analysis.com The URL embeds the recipient’s email address directly in the path, a common personalization technique used in targeted phishing campaigns to increase credibility and successful credential submission. Redirection Flow: CAPTCHA as an Anti-Analysis Gate Clicking the verification link does not immediately present a login page. Instead, victims are routed through a fake CAPTCHA / “ confirm you’re human ” page, which serves as a deliberate execution delay. This delay is important for two reasons: Automated sandbox services (e.g., URLScan) often complete scanning before the CAPTCHA stage is reached, meaning the actual phishing payload is never rendered during automated analysis. User interaction is required to proceed, filtering out non-human traffic and reducing detection rates. Final Payload: Gmail & Microsoft 365 Tycoon 2FA Lures After CAPTCHA completion, victims are redirected to high-fidelity Gmail or Microsoft 365 / Outlook login pages, depending on the campaign variant. Observed behaviors include: Accurate UI and branding replication Email address prefilled or dynamically referenced Transition into multi-step authentication flows MFA approval interception and credential capture Despite branding differences, both lures share identical loader logic, obfuscation patterns, and runtime behavior, confirming they are part of the same Tycoon 2FA campaign. Infrastructure Reuse: *.contractors Domains Across all observed samples, the campaign consistently abuses freshly registered .contractors domains, often using randomized subdomains and long URL paths. Examples observed include: Outlook hxxps://datacenter.lonaihoo.contractors/i!2zDbFPEvdm/ hxxps://pytorch.hithomu.contractors/Hik3GWNtRtmoaf@Ul5FNuB3/$bmVzZS5ndW5lckBlZ29uemVobmRlci5jb20= hxxps://bigbluebutton.seacrevea.contractors/nGPI9ensbX@Y/ hxxps://redoc.kaidaisoo.contractors/Yi@9yUWrVO/ hxxps://firewall.tiostemio.contractors/nu2ATGWco@GZ/ hxxps://pulumi.kaidaisoo.contractors/QBQG4CC@30W/ Gmail hxxps://cdnedge.kirosoo.contractors/UyHX5Z5NJWj!i6VTZW5/ hxxps://bscscan.kirosoo.contractors/KQccgiv0@RRZ4xeCQMfRJbnT/ hxxps://copytrade.kirosoo.contractors/m8WqmrYb6lVk7C@9o1Yio/ hxxps://dist.draidatroo.contractors/4!OMtEFiKRQ/ hxxps://boot.lizojea.contractors hxxps://hashid.draidatroo.contractors/ey!z5jV2w/ Benign Page hxxps://ide.pishathi.contractors hxxps://ide.niramio.contractors/ hxxps://js.hithomu.contractors/ hxxps://substack.wifupu.contractors/ hxxps://swap.lizojea.contractors/ hxxps://ba...