2026-03-20 | OSINT and Intelligence | Oracle-42 Intelligence Research
```html
Email Header Analysis: Tracking the Origin of Tycoon 2FA and SSO Phishing Campaigns
Executive Summary: Adversary-in-the-Middle (AiTM) phishing kits like Tycoon 2FA and SSO-focused campaigns exploit email header manipulation to evade detection and harvest credentials. This article provides a technical deep-dive into using email header analysis—leveraging OSINT and DNS intelligence—to trace phishing infrastructure, attribute campaigns, and disrupt threat actors operating under the Phishing-as-a-Service (PhaaS) model. We analyze real-world IOCs, DNS fingerprints, and header anomalies to reveal how modern phishing campaigns are orchestrated and how defenders can counter them.
Key Findings
Tycoon 2FA, active since August 2023, is a sophisticated AiTM phishing kit sold as PhaaS, primarily targeting Microsoft 365 environments to steal session cookies and bypass 2FA.
Attackers leverage email header spoofing and SMTP relay abuse to disguise phishing origins and evade email security controls like SPF/DKIM/DMARC.
DNS reconnaissance—including WHOIS, DNS records, and passive DNS—reveals the infrastructure behind SSO phishing campaigns, including malicious C2 domains and adversary-controlled mail servers.
Email headers contain forensic artifacts (Received, Return-Path, Message-ID, X-Originating-IP) that, when analyzed with OSINT, can trace campaigns to their source infrastructure.
Combining email header analysis with DNS intelligence enables proactive disruption of PhaaS operations and attribution to threat actors.
Understanding the Threat: Tycoon 2FA and SSO Phishing
Tycoon 2FA is a first-of-its-kind AiTM phishing kit, introduced in August 2023 and distributed via a Phishing-as-a-Service model. Unlike traditional phishing, AiTM kits intercept authentication flows in real time, capturing session tokens and cookies—rendering two-factor authentication (2FA) ineffective. The kit primarily targets Microsoft 365 environments, harvesting credentials and session data to enable account takeover and lateral movement.
SSO-focused phishing campaigns, particularly those targeting educational institutions, have surged in volume. DNS-based analysis reveals coordinated campaigns using fake login portals mimicking university SSO pages. These attacks are not isolated; they are orchestrated through rented infrastructure, bulletproof hosting, and compromised SMTP relays to bypass email filtering.
In both cases, email header manipulation plays a central role in obfuscating the true origin of phishing emails. Attackers forge headers, abuse legitimate services, and chain compromised systems to deliver malicious payloads undetected.
The Role of Email Headers in Phishing Attribution
Email headers are a goldmine of forensic data. Each hop in the email delivery chain leaves a trace in the headers, including:
Received: IP addresses, hostnames, and timestamps of SMTP servers that processed the message. These can reveal the true origin or intermediate relays.
Return-Path: The bounce address, often spoofed to appear legitimate.
Message-ID: Unique identifier that may correlate with known malicious campaigns.
X-Originating-IP: Non-standard header sometimes added by client mail servers, indicating the sender’s IP.
Authentication-Results: SPF, DKIM, DMARC validation outcomes—useful for identifying spoofing attempts.
When analyzed in aggregate, these fields allow analysts to:
Map the email’s delivery path.
Identify compromised or malicious SMTP relays.
Link phishing emails to known threat actor infrastructure via shared IPs, domains, or Message-IDs.
Attribute campaigns to specific PhaaS providers (e.g., Tycoon 2FA operators).
DNS Intelligence: Uncovering the Backend Infrastructure
While email headers reveal delivery mechanics, DNS intelligence uncovers the command-and-control (C2) and hosting infrastructure behind phishing campaigns. Techniques include:
WHOIS analysis: Identifying domains registered under privacy-protected or bulk-registered email addresses, often tied to threat actors.
DNS record inspection: A records, MX records, and TXT records can reveal hosting providers, CDNs, or mail services abused by attackers.
Passive DNS (pDNS) databases: Reveal historical associations between IPs and domains, critical for tracking fast-flux or rapidly changing infrastructure.
Reverse DNS lookups: Correlate IP addresses in email headers with PTR records, which may point to suspicious hostnames (e.g., "smtp-relay.attacker[.]com").
For example, in SSO phishing campaigns targeting higher education, DNS analysis has uncovered clusters of domains hosted on bulletproof hosting providers in offshore jurisdictions, with MX records pointing to compromised university mail servers—used as relays to bypass security controls.
Case Study: Tracing a Tycoon 2FA Campaign via Email Headers and DNS
In a recent incident, a phishing email purporting to be a Microsoft Teams notification was delivered to a target organization. Header analysis revealed:
Associated domain: "relay-service[.]com" registered via a privacy-protected registrar.
MX record: "mail.relay-service[.]com" hosted on a server in Russia.
Passive DNS links to multiple phishing campaigns targeting Microsoft credentials.
Further correlation revealed that the Message-ID matched Tycoon 2FA samples reported in OSINT feeds, confirming the campaign’s affiliation with the PhaaS operation. The infrastructure was subsequently flagged for takedown via abuse channels and DNS sinkholing.
Recommendations for Defenders and Intelligence Teams
To effectively disrupt AiTM and SSO phishing campaigns, organizations should implement a multi-layered OSINT and intelligence-driven defense:
1. Automate Email Header Analysis
Deploy email security gateways that perform header parsing and anomaly detection.
Use SIEM rules to flag emails with:
Inconsistent SPF/DKIM/DMARC results.
Received headers from known malicious IPs or domains.
Message-IDs linked to PhaaS kits (e.g., Tycoon 2FA).