Sneaky 2FA Joins Tycoon 2FA and EvilProxy in 2025 Phishing Surge
Security firm Barracuda has reported over a million phishing-as-a-service (PhaaS) attacks in 2025.
These attacks were powered by known platforms such as Tycoon 2FA and EvilProxy, with the emergence of a new threat, Sneaky 2FA, highlighting the rapid evolution of phishing tools.
Tycoon 2FA was the most prominent and sophisticated PhaaS platform active in early 2025 and accounted for 89% of the PhaaS attacks. EvilProxy has a share of 8% and Sneaky 2FA had a share of 3% of attacks.
The platforms that power PhaaS are increasingly complex and evasive, Barracuda noted. This makes phishing attacks both harder for traditional security tools to detect and more powerful in terms of the damage they can do.
Deerendra Prasad, Associate Threat Analyst at Barracuda Networks, shared findings from PhaaS activity in the first two months of 2025 in a recent blog post.
New Phishing Player Sneaky 2FA
Sneaky 2FA is known as such because it can bypass two factor authentication. The attack toolkit is sold as-a-service by the cybercrime outfit, Sneaky Log.
Sneaky 2FA leverages the messaging service Telegram and operates as a bot.
It has been used in platform for adversary-in-the-the-middle (AiTM) attacks targeting Microsoft 365 accounts in search of credentials and access.
Targets receive an email that contains a link. If they click on the link, it redirects them to a spoofed, malicious Microsoft login page. The attackers check to make sure the user is a legitimate target and not a security tool before pre-filling the fake phishing page with the victim’s email address by abusing Microsoft 365’s ‘autograb’ functionality.
Tycoon 2FA Undergoes Continuous Modification
Having first emerged in August 2023, the Tycoon 2FA phishing kit has undergone recent updates which have enhanced its evasive mechanisms, becoming even harder to detect.
In January 2025, Barracuda analyzed that Tycoon 2FA used malicious scripts to obstruct analysis of the phishing pages by defenders, for example by blocking shortcut keys.
This approach has now been abandoned according to Barracuda, in favor of an even more evasive approach.
The upgraded script now includes:
- A Ceaser cypher a shifting substitution cypher, instead of being in plain text. This script is responsible for several processes, such as stealing user credentials and exfiltrating them to an attacker-controlled server
- Several examples of the script include Hangul Filler (or Unicode 3164), which is an invisible character (but not a space) from the Hangul script. These characters are often used to fill space without displaying any content and are commonly employed in phishing obfuscation techniques
- The upgraded script identifies a victim’s browser type, likely for evasion or attack customization. It also includes Telegram links, often used to secretly send stolen data to attackers
- This script also contains intercommunication links such as Ajax requests, which enable parts of a web page to be updated independently of the rest of the page, and the script features AES encryption to disguise credentials before exfiltrating them to a remote server, making detection more difficult
EvilProxy, a Dangerous PhaaS
Barracuda said Evil Proxy is a “particularly dangerous” PhaaS tool because of its accessibility. It requires minimal technical expertise, making sophisticated phishing attacks accessible to a wider range of cybercriminals.
EvilProxy enables attackers to target widely used services such as Microsoft 365, Google and other cloud-based platforms.
Through phishing emails and malicious links, EvilProxy tricks victims into entering their credentials on seemingly legitimate login pages.
EvilProxy attacks are harder to detect because they use a random URL. However, if you think the Microsoft/Google login page URL is different from the usual login page, avoid entering your credentials, Barracuda warned.
Another giveaway is unusual MFA prompts, such as receiving MFA prompts when you are not actually logging in.
