Latest news with #PhilHay
New York Times
11 hours ago
- Sport
- New York Times
Is there too much soccer? Also, the Lakers fetch a record price
The Pulse Newsletter 📣 | This is The Athletic's daily sports newsletter. Sign up here to receive The Pulse directly in your inbox. Good morning! Geaux Tigers, folks. So many popular things in this world face the line of overexposure. Sports, companies, products, social media fads — they all arrive here, whether it takes decades or hours. When something becomes so big and so beloved, the abstract foundations begin to wobble. Soccer is here in 2025, the most popular sport on the planet. There is more soccer than ever. The men's Club World Cup is ongoing, a year before the World Cup happens. In Europe, Nations League just wrapped. Women's Euros begins in two weeks. The Gold Cup is happening right now, too. There is so much soccer. It might be a problem: I went to Phil Hay, author of the brilliant The Athletic FC newsletter, first for a more Europe-centric view on all this: What is our feeling on the CWC broadly? Excitement? Overkill? Capitalist greed run amok? 💬 Cynicism abounds. The prevailing view is that the Club World Cup is FIFA being FIFA: a mass of hubris which could easily be mistaken for a money-making exercise. To this point, the football has been lukewarm. FIFA ditching its planned anti-discrimination campaign is a terrible look, and its failure to explain why leaves us to draw our own conclusions. The questions I was asking in the run-up to kick-off, I'm still asking now: Is the sport enhanced by an inflated Club World Cup? And how many people outside of FIFA's bubble really need it in their lives? To drill down further on that last point: La Liga's president is already calling for the CWC to end. Do you think there's any real momentum to change this format? Or will we just churn through because the prize money is so important? 💬 Here's a point to consider: Manchester City spent $148 million on three transfers before the Club World Cup started. If they win the tournament (playing all of eight games), they'll earn $125 million in prize money. So at an executive level, you can see why FIFA's new model might be a guilty pleasure. FIFA has been quite cute in that respect, dangling a carrot which is hard to resist in a world where cash is king. But something else to ponder: If the 2025 Club World Cup is a bit of a wash-out, will 2029 attract enough money to offer a similar prize pot? In the end, the only way this thrives as FIFA wants it to is if the public buys into it. Frankly, in comparison to the money on offer, I suspect the trophy itself means squat. If you could make one or two changes to this tournament, what would they be? 💬 Firstly, level up the competition so that 10-0 routs don't happen. Secondly, if FIFA insists on having a 32-team CWC, make concessions elsewhere in the calendar to accommodate it. And thirdly, rather than banging on about how wonderful a show it is, let it speak for itself. Because in principle, I actually like the concept of clubs from all over the world mixing it with each other. I just don't like the manufactured hype. I'm with Phil on the last point, because for all our hand-wringing now, we should get some excellent soccer (and coverage of it) as the CWC draws to a close. This is high time to see those poll results from yesterday, too: Yikes. We may have crossed the overexposure line already. Let's pause for a quick news break before talking about the state of soccer in America: Lakers agree to sell for $10 billion The Buss family, which has owned the Lakers for 46 years, agreed in principle to sell the franchise to Dodgers owner Mark Walter at a valuation of $10 billion, sources told The Athletic, with the possibility of that number reaching $12 billion. Either way, it will be the largest sale of a sports franchise in history. Jeanie Buss will remain as governor of the team, too. Plenty more details in our full report. Advertisement More news 📫 Love The Pulse? Check out our other newsletters. Let's go back to the pitch, but narrow our focus a bit. Here in America, soccer is also everywhere. MLS, NWSL, USL, all while hosting events like the CWC and World Cup. And yet American soccer faces a much different issue than the global game. Two things: For help here, I turned to our American soccer expert, Paul Tenorio: Soccer in the States seems a little … disjointed. Is that your read, or am I off? 💬 I think soccer is immensely popular in the U.S., it's just divided up among many different properties. You have die-hard Premier League fans, loyal Liga MX followers, the sizable Champions League audience and the fans of international soccer who will latch on to the men's and women's national teams. This is the landscape in which MLS has to compete. Soccer fans in America can watch pretty much any soccer league they want — and many do. Access to the game has changed dramatically in the last 20 years, first on TV and now in-person as more events and tournaments come to play in the States. With parties settling in the Relevent lawsuit, we could see regular-season games of other leagues, soon, too. There is so much on offer. American soccer fans are spoiled. I'm fascinated by the odd behemoth that is MLS, which, despite gobs of teams and money, can't seem to take a true national foothold in the country. Again — off there? 💬 No, certainly not. The major challenge that MLS has is growing from a strong local event business — they drive sizable crowds in many markets — to one that resonates nationally. MLS needs to find a way to pull bigger audiences in order to demand better media rights fees. It comes down to putting a better and more compelling product on the field. That requires spending more and spending differently. MLS' current salary cap structure means teams don't maximize quality compared to their spend. It looks like MLS is on a path toward change — but it'll be in 2027 instead of 2026, when the league could have fully leveraged the home World Cup. Paul is writing a book on this exact topic, called 'The Messi Effect' — we'll keep you posted on it. Almost done: 📺 NBA: Thunder at Pacers 8:30 p.m. ET on ABC Oklahoma City can claim its first NBA title with a win tonight. All eyes will be on the health of Tyrese Haliburton. It's hard to imagine Indiana winning with Haliburton hobbled, but the Pacers have defied expectations at every juncture in this series, so who knows? 📺 Gold Cup: Saudi Arabia vs. USMNT 9:15 p.m. ET on FS1 The Americans want to continue the goodwill after that 5-0 win against Trinidad and Tobago. The Saudis have also won their lone Gold Cup match so far, so this is for top spot in the group. Important. Get tickets to games like these here. I adored this story about Sabrina Ionescu, a global superstar, who can be illustrated best by her upbringing as a child of Romanian immigrants. Make time for this. Yes, Gregg Popovich is one of the best coaches to ever grace an NBA sideline. But his best talent may be his mastery of tough conversations. Need to smile? Read this story from Sam Blum, about a kid's cherished Mike Trout-signed baseball destroyed in a house fire last month. Trout got involved. Advertisement 🎧 Today's Juneteenth, and I reflected back on this episode of the 'Full Time' podcast from last year about the holiday itself and Blackness in the NWSL. Listen here. 🎥 'No Dunks' ranked the last 25 NBA Finals in advance of tonight's game. Watch that here. Most-clicked in the newsletter yesterday: Our story on Nick Castellanos' tiff with Phillies manager Rob Thomson. Most-read on the website yesterday: The Lakers' sale news.
New York Times
27-04-2025
- Sport
- New York Times
Nottingham Forest 0 Manchester City 2 – Are City back to their best? Did Nuno get team wrong?
Manchester City reached the FA Cup final with a 2-0 win over Nottingham Forest on Sunday. It was a nightmare start for Nottingham Forest as Rico Lewis gave Manchester City the lead after two minutes. Forest looked overwhelmed by the occasion in the opening part of the first half, but improved as the game went on. Advertisement Changes from Nuno Espirito Santo helped Forest improve after the break, but Josko Gvardiol doubled City's lead in the 51st minute. Forest would go on to hit the woodwork three times, twice through Morgan Gibbs-White, but ultimately fell to defeat at Wembley Stadium. The Athletic's experts Sam Lee, Paul Taylor, Phil Hay and Thom Harris have analysed the key talking points from Sunday's game below. There can be no doubt that City are edging closer and closer back to their best, and it may well be that they do finish this extremely disappointing season with a Champions League finish and the FA Cup. They seem to be improving game on game, and their first 15 minutes here was probably the best football they have played for six months — they controlled the ball in the Forest half as my colleague Thom Harris outlines below, and they looked all the better for their experience, as Phil Hay writes. Even for the rest of the first half, they limited Forest to barely any threat whatsoever. The ironic thing is that, just as they looked to be marching to another date at Wembley thanks to Gvardiol's header, City started to fall apart somewhat. Forest hit the woodwork three times and Elanga put another good effort over that was eventually pulled back for offside, but that sense of danger that was never there in the first half was very, very real. It was as if, far from being in control and benefitting from their experience, they got sloppy having got a two-goal lead, and from there they really struggled to wrestle control of the game again. The amount of individual mistakes was remarkable. City had their moments in front of goal too, but the way the game ended will be a reminder that, for all that they have improved and as much as they can be confident that they will be even better by the time they play Crystal Palace, there is still a bit to work on. Sam Lee Nuno Espirito Santo's team selection was heavily influenced by injury and suspension, with Ola Aina, Neco Williams and Eric Moreira all unavailable in the full-back positions. It meant Forest had a makeshift back four, with 18-year-old Zach Abbott making his second start for Forest out of position at right back. Advertisement But it was further up the pitch where Forest were ineffective in the first half, with Morgan Gibbs-White and Elliot Anderson struggling to make an impact in the wide positions within a 4-4-2. Callum Hudson-Odoi and Chris Wood were almost entirely isolated up front. It was a formation that badly limited the impact of some of Forest's most influential players, during a first half in which they had looked shellshocked following the early goal. Forest immediately looked better when Anthony Elanga was introduced at half time, which allowed Anderson and Gibbs-White to return to more familiar central roles, within a 4-1-4-1. Elanga almost scored with one of his first touches, after being set up by Hudson-Odoi. Nuno has got far more right than wrong, during a remarkable season in which he has transformed Forest from relegation battlers into a team challenging for a Champions League place. And Forest were significantly improved after the change, with Gibbs-White rattling the bar with a spectacular effort, before then being denied by the post. Taiwo Awoniyi also hit the post. But this was a rare occasion when Forest's tactical approach initially put them on the back foot and allowed City to take control of the game. Paul Taylor Which of these clubs are more accustomed to an occasion like today's? To the uninitiated, exhibit A — the crowd — told that story: Forest's end packed, City's punctuated with unsold seats (a product of a Sunday afternoon kick-off in London, the cost of following City's heavier schedule and, perhaps, the fact that domestic cup semi-finals have no novelty value for them). There was energy from Forest following, far more than City's before kick-off. But exhibit B in contrasting the experience of the sides was what happened once the whistle blew. City settled on familiar turf and scored inside two minutes. Forest froze in the cavernous Wembley surroundings and contributed nothing to the first half. Advertisement Danilo's hand-on-hips pose at the break for half-time said it all, as did Anthony Elanga's appearance off the bench for the second half. Elanga's point-blank chance inside 60 seconds was curtains, a miss Forest couldn't remotely afford; score that, or forever hold your peace. This season might have rattled City, but know-how doesn't vanish overnight. They've been dealing with high-stakes fixtures for years, their staple diet on Pep Guardiola's watch, and Forest allowed them to cruise through the motions for too long. All Forest can hope is that a chastening afternoon provides a lesson for their next visit here. Phil Hay It may be cliche, but a rasping finish from Rico Lewis after just 109 seconds was precisely what City needed to quieten down a rowdy Forest crowd, giving them a platform on which to brutally wrestle the occasion their way. Nuno Espirito Santo's side aren't used to being behind so early — they have only conceded five goals within the opening 10 minutes of games this season, and are the Premier League side to have fallen behind in the fewest of their games. Within two minutes, most of the gameplan — sit deep, frustrate City, and hit quickly on the counter — was out the window. Forest had just 11.4 per cent of the ball in the opening 10 minutes, and were scythed open time and time again by City's slick passing game. A midfield four was stretched across the pitch by the high-and-wide positioning of full-backs Matheus Nunes and Nico O'Reilly, while Danilo — substituted at half-time — could not keep track of the relentless movement of Lewis. Pep Guardiola is rarely so adventurous in his team's build-up shape, but their one-goal cushion allowed them to be, picking apart a team who had no choice but to step out of their comfort zone and try to push up the pitch. It helped that his side were particularly dominant in their defensive duels too, with Ruben Dias especially effective at snuffing out hints of a counter-attack and dealing with them at source — a theme that largely continued throughout the first half. Advertisement Not many sides have beaten Forest this year but this was the blueprint on how to do it; score first, drag them out of their shape, and see the pressure and technical quality — and after the hour mark, good fortune — tell. Thom Harris We will bring you this after he has spoken at the post-match press conference. We will bring you this after he has spoken at the post-match press conference. Thursday, May 1: Brentford (Home), Premier League, 7.30pm UK, 2.30pm ET Friday, May 2: Wolves (Home), Premier League, 8pm UK, 3pm ET
Forbes
15-04-2025
- Forbes
Act Now As New Gmail And Microsoft 2FA Security Bypass Attack Strikes
Enable passkeys as 2FA bypass attacks confirmed. Update, April 15, 2025: This story, originally published April 13, has now been updated with details of how real-time email validation helps attackers, along with further information from Trustwave detailing how attackers obfuscate their 2FA bypass phishing threats. I'm sorry to have to tell you this, but if you didn't already realize, you are under attack. No matter the operating system you use, the applications you rely upon or the faith you have in Big Tech to protect you, attackers are coming for your accounts and your data. The higher the profile of those accounts, the more valuable they are and the more hacking scrutiny they are under. Which is why we see security warnings involving such things as Apple ID attacks, X social media data leaks, and both Android and iPhone smartphone FBI defense advice. It is, however, Gmail and Microsoft that are most valued by hackers for the data that a successful account hack can expose. News of the evolution of an already perilous threat that can bypass 2FA protections that both Google and Microsoft have in place is, therefore, naturally of huge concern. Here's what you need to know and what both tech giants say you must do right now. Tycoon 2FA is not a new threat, far from it, in fact. As I reported March 26, 2024, the adversary-in-the-middle attack kit first came to the attention of threat intelligence experts in 2023. In March 2024, however, the criminal developers behind it turned the threat dial up a notch or two by releasing an update that specifically targeted Microsoft 365 and Gmail account holders and employed advanced obfuscation and anti-detection capabilities. Those attackers have, it seems, now turned the dial to 11. New intelligence from security researchers at Trustwave has revealed even more sophisticated evasion techniques being deployed against Gmail and Microsoft users in the latest 2025 attacks. According to the new report's authors, Trustwave's Phil Hay and Rodel Mendrez, these include 'using a custom CAPTCHA rendered via HTML5 canvas, invisible Unicode characters in obfuscated JavaScript, and anti-debugging scripts to thwart inspection.' While conceding that none of these techniques are groundbreaking, individually at least, combining them does pose a new threat that makes detection and response even more difficult. Custom CAPTCHA visuals in HTML5, for example, can add legitimacy to phishing attempts, Unicode and Proxy-based obfuscation can delay detection, and anti-debugging behaviors hide malicious activity from automated tools. Bernard Bautista and Kevin Adriano, also working at Trustwave, have reported how threat actors are using harmless-looking images to hide what are actually dangerous links in a phishing attack. Not just using, but employing them in what the researchers have described as a 'major spike' in this type of attack obfuscation. The attacks are ones that exploit the fact that Scalable Vector Graphics image files are based on the Extensible Markup Language, unlike more typical image formats, and that means they can contain interactive scripts. 'SVG-based attacks have sharply pivoted toward phishing campaigns,' the report warned, 'with a staggering 1800% increase in early 2025 compared to data collected since April 2024.' Notably, a large surge in such campaigns has been observed during the first quarter of 2025, driven 'largely by the emergence of Attack-in-the-Middle, Phishing-as-a-Service, platforms such as Tycoon2FA,' the researchers said. SVG files are popularly, and perfectly legitimately, used in web design and branding campaigns due to their sharp image output, but the researchers warned that their ability to embed JavaScript introduces serious cybersecurity risks. Attackers use this to inject malicious scripts directly into the image files, which can then 'execute automatically upon opening the file, enabling a wide range of cyberattacks, including unauthorized system access, data theft, identity compromise, and leakage of sensitive information.' The problem is, if it really needed any further explanation, that these malicious scripts can be executed without the need for explicit user interaction, and they are more difficult for security tools to detect and block. Plus, of course, the small matter of people having an elevated yet false sense of security when it comes to images, including SVG files, which are often treated as being of no risk at all. Marie Mamaril, part of the Cofense Intelligence Team, has brought attention to another spanner in the protection-bypass works for defenders when it comes to phishing attacks: precision-validated credential theft. This new technique 'leverages real-time email validation to ensure only high-value targets receive the phishing attempt,' Mamaril warned, before detailing a number of reasons as to why it is so advantageous from the attacker perspective. These reasons included: The key to the success of precision-validated phishing is hinted at in the name. Instead of taking a broad grapeshot approach to the task by distributing attack emails far and wide, precision-validated phishing operates in a highly selective fashion by only actually engaging with those email addresses that have already been 'verified as active, legitimate, and often high-value.' Mamaril explained this by detailing how an attacker will check every email address against a database of pre-collected and verified emails before the target credential phishing login form is displayed to the potential victim. 'If the email address entered does not match any from the pre-collected list,' Mamaril said, 'the phishing page either returns an error or redirects to a legitimate, benign-looking page, preventing security teams from doing further analysis and investigation.' Indeed, so effective is the security investigation prevention aspect of this attack technique that automated crawlers, along with sandboxed environments, also have great difficulty in analyzing them as they simply cannot bypass that validation filter. The end result, according to Mamaril, is reduced attacker risk while extending the lifespan of the phishing campaigns concerned. None of which is good news for the end user. Ultimately, the report concludes that the selective nature of precision-validated phishing attacks means that detection through any kind of shared threat intelligence is harder to accomplish as well. 'Since phishing pages do not serve malicious content to everyone,' Mamaril warned, 'some traditional URL scanning tools may fail to flag them as threats.' All of which results in traditional blocklisting protections are unlikely to help anyone, and there needs to be a shift towards behavioral analysis and anomaly detection instead, 'to identify phishing campaigns before they reach end users.' Trustwave recommended that security teams should 'consider behavior-based monitoring, browser sandboxing, and a deeper inspection of JavaScript patterns' in order to stay one step ahead of the Tycoon 2FA attackers. Google and Microsoft, however, have some more straightforward advice for ordinary users when it comes to protecting themselves and their valuable accounts from the 2FA bypass hackers. The simple truth is that, from the end user defensive posture perspective, the mitigation advice when it comes to Tycoon 2FA attacks is the same now as it was in 2024, namely, use passkeys. A Google spokesperson said that 'passkeys substantially reduce the impact of phishing and other social engineering attacks. Google research has shown that security keys provide a stronger protection against automated bots, bulk phishing attacks, and targeted attacks than SMS, app-based one-time passwords, and other forms of traditional two-factor authentication.' Meanwhile, a Microsoft spokesperson said, 'As a security best practice, we encourage customers to always practice good computing habits online, including exercising caution when clicking on links to web pages, opening unknown files, or accepting file transfers. In addition, we recommend switching to Passkeys wherever possible and using authentication apps such as Microsoft Authenticator, which warn users about potential phishing attempts.' So, there you have it: use passkeys to protect your Gmail and Microsoft accounts, not only against this 2FA bypass attack but also against other potential threats. What are you waiting for, do it now.
Forbes
14-04-2025
- Forbes
Gmail And Microsoft 2FA Security Bypass — Take Action Now, Users Told
Enable passkeys as 2FA bypass attacks confirmed. Update, April 14, 2025: This story, originally published April 13, has now been updated with more information from Trustwave detailing how attackers obfuscate their 2FA bypass phishing threats. I'm sorry to have to tell you this, but if you didn't already realize, you are under attack. No matter the operating system you use, the applications you rely upon or the faith you have in Big Tech to protect you, attackers are coming for your accounts and your data. The higher the profile of those accounts, the more valuable they are and the more hacking scrutiny they are under. Which is why we see security warnings involving such things as Apple ID attacks, X social media data leaks, and both Android and iPhone smartphone FBI defense advice. It is, however, Gmail and Microsoft that are most valued by hackers for the data that a successful account hack can expose. News of the evolution of an already perilous threat that can bypass 2FA protections that both Google and Microsoft have in place is, therefore, naturally of huge concern. Here's what you need to know and what both tech giants say you must do right now. Tycoon 2FA is not a new threat, far from it, in fact. As I reported March 26, 2024, the adversary-in-the-middle attack kit first came to the attention of threat intelligence experts in 2023. In March 2024, however, the criminal developers behind it turned the threat dial up a notch or two by releasing an update that specifically targeted Microsoft 365 and Gmail account holders and employed advanced obfuscation and anti-detection capabilities. Those attackers have, it seems, now turned the dial to 11. New intelligence from security researchers at Trustwave has revealed even more sophisticated evasion techniques being deployed against Gmail and Microsoft users in the latest 2025 attacks. According to the new report's authors, Trustwave's Phil Hay and Rodel Mendrez, these include 'using a custom CAPTCHA rendered via HTML5 canvas, invisible Unicode characters in obfuscated JavaScript, and anti-debugging scripts to thwart inspection.' While conceding that none of these techniques are groundbreaking, individually at least, combining them does pose a new threat that makes detection and response even more difficult. Custom CAPTCHA visuals in HTML5, for example, can add legitimacy to phishing attempts, Unicode and Proxy-based obfuscation can delay detection, and anti-debugging behaviors hide malicious activity from automated tools. Bernard Bautista and Kevin Adriano, also working at Trustwave, have reported how threat actors are using harmless-looking images to hide what are actually dangerous links in a phishing attack. Not just using, but employing them in what the researchers have described as a 'major spike' in this type of attack obfuscation. The attacks are ones that exploit the fact that Scalable Vector Graphics image files are based on the Extensible Markup Language, unlike more typical image formats, and that means they can contain interactive scripts. 'SVG-based attacks have sharply pivoted toward phishing campaigns,' the report warned, 'with a staggering 1800% increase in early 2025 compared to data collected since April 2024.' Notably, a large surge in such campaigns has been observed during the first quarter of 2025, driven 'largely by the emergence of Attack-in-the-Middle, Phishing-as-a-Service, platforms such as Tycoon2FA,' the researchers said. SVG files are popularly, and perfectly legitimately, used in web design and branding campaigns due to their sharp image output, but the researchers warned that their ability to embed JavaScript introduces serious cybersecurity risks. Attackers use this to inject malicious scripts directly into the image files, which can then 'execute automatically upon opening the file, enabling a wide range of cyberattacks, including unauthorized system access, data theft, identity compromise, and leakage of sensitive information.' The problem is, if it really needed any further explanation, that these malicious scripts can be executed without the need for explicit user interaction, and they are more difficult for security tools to detect and block. Plus, of course, the small matter of people having an elevated yet false sense of security when it comes to images, including SVG files, which are often treated as being of no risk at all. Trustwave recommended that security teams should 'consider behavior-based monitoring, browser sandboxing, and a deeper inspection of JavaScript patterns' in order to stay one step ahead of the Tycoon 2FA attackers. Google and Microsoft, however, have some more straightforward advice for ordinary users when it comes to protecting themselves and their valuable accounts from the 2FA bypass hackers. The simple truth is that, from the end user defensive posture perspective, the mitigation advice when it comes to Tycoon 2FA attacks is the same now as it was in 2024, namely, use passkeys. A Google spokesperson said that 'passkeys substantially reduce the impact of phishing and other social engineering attacks. Google research has shown that security keys provide a stronger protection against automated bots, bulk phishing attacks, and targeted attacks than SMS, app-based one-time passwords, and other forms of traditional two-factor authentication.' Meanwhile, a Microsoft spokesperson said, 'As a security best practice, we encourage customers to always practice good computing habits online, including exercising caution when clicking on links to web pages, opening unknown files, or accepting file transfers. In addition, we recommend switching to Passkeys wherever possible and using authentication apps such as Microsoft Authenticator, which warn users about potential phishing attempts.' So, there you have it: use passkeys to protect your Gmail and Microsoft accounts, not only against this 2FA bypass attack but also against other potential threats. What are you waiting for, do it now.
Forbes
13-04-2025
- Forbes
As Gmail And Microsoft 2FA Security Bypassed — Do This One Thing Now
Enable passkeys as 2FA bypass attacks confirmed. I'm sorry to have to tell you this, but if you didn't already realize, you are under attack. No matter the operating system you use, the applications you rely upon or the faith you have in Big Tech to protect you, attackers are coming for your accounts and your data. The higher the profile of those accounts, the more valuable they are and the more hacking scrutiny they are under. Which is why we see security warnings involving such things as Apple ID attacks, X social media data leaks, and both Android and iPhone smartphone FBI defense advice. It is, however, Gmail and Microsoft that are most valued by hackers for the data that a successful account hack can expose. News of the evolution of an already perilous threat that can bypass 2FA protections that both Google and Microsoft have in place is, therefore, naturally of huge concern. Here's what you need to know and what both tech giants say you must do right now. Tycoon 2FA is not a new threat, far from it, in fact. As I reported March 26, 2024, the adversary-in-the-middle attack kit first came to the attention of threat intelligence experts in 2023. In March 2024, however, the criminal developers behind it turned the threat dial up a notch or two by releasing an update that specifically targeted Microsoft 365 and Gmail account holders and employed advanced obfuscation and anti-detection capabilities. Those attackers have, it seems, now turned the dial to 11. New intelligence from security researchers at Trustwave has revealed even more sophisticated evasion techniques being deployed against Gmail and Microsoft users in the latest 2025 attacks. According to the new report's authors, Trustwave's Phil Hay and Rodel Mendrez, these include 'using a custom CAPTCHA rendered via HTML5 canvas, invisible Unicode characters in obfuscated JavaScript, and anti-debugging scripts to thwart inspection.' While conceding that none of these techniques are groundbreaking, individually at least, combining them does pose a new threat that makes detection and response even more difficult. Custom CAPTCHA visuals in HTMLK5, for example, can add legitimacy to phishing attempts, Unicode and Proxy-based obfuscation can delay detection, and anti-debugging behaviors hide malicious activity from automated tools. Trustwave recommended that security teams should 'consider behavior-based monitoring, browser sandboxing, and a deeper inspection of JavaScript patterns' in order to stay one step ahead of the Tycoon 2FA attackers. Google and Microsoft, however, have some more straightforward advice for ordinary users when it comes to protecting themselves and their valuable accounts from the 2FA bypass hackers. The simple truth is that, from the end user defensive posture perspective, the mitigation advice when it comes to Tycoon 2FA attacks is the same now as it was in 2024, namely, use passkeys. A Google spokesperson said that 'passkeys substantially reduce the impact of phishing and other social engineering attacks. Google research has shown that security keys provide a stronger protection against automated bots, bulk phishing attacks, and targeted attacks than SMS, app-based one-time passwords, and other forms of traditional two-factor authentication.' Meanwhile, a Microsoft spokesperson said, 'As a security best practice, we encourage customers to always practice good computing habits online, including exercising caution when clicking on links to web pages, opening unknown files, or accepting file transfers. In addition, we recommend switching to Passkeys wherever possible and using authentication apps such as Microsoft Authenticator, which warn users about potential phishing attempts.' So, there you have it: use passkeys to protect your Gmail and Microsoft accounts, not only against this 2FA bypass attack but also against other potential threats. What are you waiting for, do it now.
