Gmail And Microsoft 2FA Security Bypass — Take Action Now, Users Told

Forbes

14-04-2025

Enable passkeys as 2FA bypass attacks confirmed.
Update, April 14, 2025: This story, originally published April 13, has now been updated with more information from Trustwave detailing how attackers obfuscate their 2FA bypass phishing threats.
I'm sorry to have to tell you this, but if you didn't already realize, you are under attack. No matter the operating system you use, the applications you rely upon or the faith you have in Big Tech to protect you, attackers are coming for your accounts and your data. The higher the profile of those accounts, the more valuable they are and the more hacking scrutiny they are under. Which is why we see security warnings involving such things as Apple ID attacks, X social media data leaks, and both Android and iPhone smartphone FBI defense advice. It is, however, Gmail and Microsoft that are most valued by hackers for the data that a successful account hack can expose. News of the evolution of an already perilous threat that can bypass 2FA protections that both Google and Microsoft have in place is, therefore, naturally of huge concern. Here's what you need to know and what both tech giants say you must do right now.
Tycoon 2FA is not a new threat, far from it, in fact. As I reported March 26, 2024, the adversary-in-the-middle attack kit first came to the attention of threat intelligence experts in 2023. In March 2024, however, the criminal developers behind it turned the threat dial up a notch or two by releasing an update that specifically targeted Microsoft 365 and Gmail account holders and employed advanced obfuscation and anti-detection capabilities.
Those attackers have, it seems, now turned the dial to 11.
New intelligence from security researchers at Trustwave has revealed even more sophisticated evasion techniques being deployed against Gmail and Microsoft users in the latest 2025 attacks. According to the new report's authors, Trustwave's Phil Hay and Rodel Mendrez, these include 'using a custom CAPTCHA rendered via HTML5 canvas, invisible Unicode characters in obfuscated JavaScript, and anti-debugging scripts to thwart inspection.'
While conceding that none of these techniques are groundbreaking, individually at least, combining them does pose a new threat that makes detection and response even more difficult. Custom CAPTCHA visuals in HTML5, for example, can add legitimacy to phishing attempts, Unicode and Proxy-based obfuscation can delay detection, and anti-debugging behaviors hide malicious activity from automated tools.
Bernard Bautista and Kevin Adriano, also working at Trustwave, have reported how threat actors are using harmless-looking images to hide what are actually dangerous links in a phishing attack. Not just using, but employing them in what the researchers have described as a 'major spike' in this type of attack obfuscation.
The attacks are ones that exploit the fact that Scalable Vector Graphics image files are based on the Extensible Markup Language, unlike more typical image formats, and that means they can contain interactive scripts. 'SVG-based attacks have sharply pivoted toward phishing campaigns,' the report warned, 'with a staggering 1800% increase in early 2025 compared to data collected since April 2024.' Notably, a large surge in such campaigns has been observed during the first quarter of 2025, driven 'largely by the emergence of Attack-in-the-Middle, Phishing-as-a-Service, platforms such as Tycoon2FA,' the researchers said.
SVG files are popularly, and perfectly legitimately, used in web design and branding campaigns due to their sharp image output, but the researchers warned that their ability to embed JavaScript introduces serious cybersecurity risks. Attackers use this to inject malicious scripts directly into the image files, which can then 'execute automatically upon opening the file, enabling a wide range of cyberattacks, including unauthorized system access, data theft, identity compromise, and leakage of sensitive information.'
The problem is, if it really needed any further explanation, that these malicious scripts can be executed without the need for explicit user interaction, and they are more difficult for security tools to detect and block. Plus, of course, the small matter of people having an elevated yet false sense of security when it comes to images, including SVG files, which are often treated as being of no risk at all.
Trustwave recommended that security teams should 'consider behavior-based monitoring, browser sandboxing, and a deeper inspection of JavaScript patterns' in order to stay one step ahead of the Tycoon 2FA attackers. Google and Microsoft, however, have some more straightforward advice for ordinary users when it comes to protecting themselves and their valuable accounts from the 2FA bypass hackers.
The simple truth is that, from the end user defensive posture perspective, the mitigation advice when it comes to Tycoon 2FA attacks is the same now as it was in 2024, namely, use passkeys.
A Google spokesperson said that 'passkeys substantially reduce the impact of phishing and other social engineering attacks. Google research has shown that security keys provide a stronger protection against automated bots, bulk phishing attacks, and targeted attacks than SMS, app-based one-time passwords, and other forms of traditional two-factor authentication.'
Meanwhile, a Microsoft spokesperson said, 'As a security best practice, we encourage customers to always practice good computing habits online, including exercising caution when clicking on links to web pages, opening unknown files, or accepting file transfers. In addition, we recommend switching to Passkeys wherever possible and using authentication apps such as Microsoft Authenticator, which warn users about potential phishing attempts.'
So, there you have it: use passkeys to protect your Gmail and Microsoft accounts, not only against this 2FA bypass attack but also against other potential threats. What are you waiting for, do it now.