Cybersecurity researchers have observed a surge in identity-driven cyberattacks targeting employee login credentials. According to a new report by eSentire’s Threat Response Unit (TRU), between 2024 and the first quarter of 2025, 19,000 identity-related cyber investigations revealed a 156% increase in such threats compared to 2023. These incidents now account for 59% of all confirmed threats across eSentire’s customer base of over 2000 organizations.[1]
One of the biggest enablers of this trend is Tycoon 2FA, a Phishing-as-a-Service (PhaaS) platform that helps cybercriminals steal Microsoft business account credentials and session cookies. From January to May 2025, Tycoon 2FA emerged as the leading PhaaS tool, surpassing rivals like EvilProxy and Sneaky 2FA.
Renting the platform costs between $200 and $300 a month and includes:
- Email templates spoofed to look like trusted sources
- Advanced adversary-in-the-middle (AitM) capabilities to bypass MFA
- Anti-debugging and evasion tools
- Built-in credential exfiltration
- Customer support and regular updates
Attackers use Tycoon 2FA to execute business email compromise (BEC) schemes by targeting employees in accounts receivable roles, harvesting their credentials, and manipulating invoices to reroute payments to attacker-controlled bank accounts.
See: https://redskyalliance.org/xindustry/cyber-criminals-using-bec
For attackers seeking low-cost options, infostealer malware provides a vast supply of stolen credentials. Logs obtained using tools like Lumma Stealer are sold on underground markets for as little as $10.
Each log may include dozens of credentials from:
- Email and banking services
- Password manager databases
- Crypto wallets and browser extensions
- VPNs, FTP clients, and local files
Operating since 2022, Lumma Stealer is known for its automation, which includes built-in filters to identify high-value data. This reduces the time needed to exploit stolen credentials and speeds up resale on markets like the Russian Market.
The FBI confirmed that it has tracked over 300,000 BEC incidents globally since 2013, resulting in $55 billion in losses. With infostealers accounting for 35% of all malware threats disrupted by eSentire in Q1 2025, identity-based attacks now offer a higher return than traditional exploits. eSentire’s TRU expects these threats to persist and urges organizations to adopt phishing-resistant authentication, zero-trust strategies, and real-time access monitoring.
This article is shared with permission at no charge for educational and informational purposes only.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. We provide indicators of compromise information via a notification service (RedXray) or an analysis service (CTAC). For questions, comments, or assistance, please get in touch with the office directly at 1-844-492-7225 or feedback@redskyalliance.com
- Reporting: https://www.redskyalliance.org/
- Website: https://www.redskyalliance.com/
- LinkedIn: https://www.linkedin.com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings
https://register.gotowebinar.com/register/5207428251321676122
[1] https://www.infosecurity-magazine.com/news/hackers-target-employee-credentials/
Comments