As Gmail And Microsoft 2FA Security Bypassed — Do This One Thing Now

As Gmail And Microsoft 2FA Security Bypassed — Do This One Thing Now

No matter the operating system you use, the applications you rely upon or the faith you have in Big Tech to protect you, attackers are coming for your accounts and your data.

The higher the profile of those accounts, the more valuable they are and the more hacking scrutiny they are under. Which is why we see security warnings involving such things as Apple ID attacks, X social media data leaks, and both Android and iPhone smartphone FBI defense advice.

It is, however, Gmail and Microsoft that are most valued by hackers for the data that a successful account hack can expose.

The Tycoon 2FA Attack: What You Need To Know

Google and Microsoft have confirmed that they are under attack from a sophisticated phishing campaign known as "Tycoon 2FA" which targets users of Gmail and Microsoft accounts, specifically using passkeys to bypass traditional 2-factor authentication.

The Method Behind The Attack

The Tycoon 2FA attackers are using a combination of techniques to bypass the two-step verification process, including precision-validated credential theft. Precision-validated phishing is leveraging real-time email validation to ensure only high-value targets receive the phishing attempt.

This technique "leverages real-time email validation to ensure only high-value targets receive the phishing attempt," explained Marie Mamaril of Cofense Intelligence Team. "The key to the success of precision-validated phishing is hinted at in the name. Instead of taking a broad grapeshot approach to the task by distributing attack emails far and wide, precision-validated phishing operates in a highly selective fashion by only actually engaging with those email addresses that have already been “verified as active, legitimate, and often high-value.”

"If the email address entered does not match any from the pre-collected list,” Mamaril said, “the phishing page either returns an error or redirects to a legitimate, benign-looking page, preventing security teams from doing further analysis and investigation."

The Attackers' Goal

The attackers' goal is to trick victims into providing their login credentials, allowing them to access the targeted accounts.

Protect Yourself: What You Can Do

To protect yourself against Tycoon 2FA attacks, follow these simple steps:

  1. Use passkeys. Google research has shown that security keys provide a stronger protection against automated bots, bulk phishing attacks, and targeted attacks than SMS, app-based one-time passwords, and other forms of traditional two-factor authentication.
  2. Switch to Passkeys whenever possible and use authentication apps like Microsoft Authenticator, which warn users about potential phishing attempts.

While Google and Microsoft have some more straightforward advice for ordinary users when it comes to protecting themselves and their valuable accounts from the 2FA bypass hackers.

Do Not Wait: Protect Your Account Now

We can't stress this enough: do not wait. The longer you wait, the more vulnerable your account will be to potential threats. So, there you have it: use passkeys to protect your Gmail and Microsoft accounts, not only against this 2FA bypass attack but also against other potential threats.