What We Do
How We Do
Get Started

Voicemail Themed Emails Tycoon Phishing-as-a-Service Platform

BY eSentire Threat Response Unit (TRU)

March 5, 2024 | 5 MINS READ


Threat Intelligence

Threat Response Unit

TRU Positive/Bulletin

Want to learn more on how to achieve Cyber Resilience?


Adversaries don’t work 9-5 and neither do we. At eSentire, our 24/7 SOCs are staffed with Elite Threat Hunters and Cyber Analysts who hunt, investigate, contain and respond to threats within minutes.

We have discovered some of the most dangerous threats and nation state attacks in our space – including the Kaseya MSP breach and the more_eggs malware.

Our Security Operations Centers are supported with Threat Intelligence, Tactical Threat Response and Advanced Threat Analytics driven by our Threat Response Unit – the TRU team.

In TRU Positives, eSentire’s Threat Response Unit (TRU) provides a summary of a recent threat investigation. We outline how we responded to the confirmed threat and what recommendations we have going forward.

Here’s the latest from our TRU Team…

What did we find?

In early February, our Incident Handling team responded to a phishing campaign targeting users in the retail industry. In one instance, a compromised account was leveraged to distribute voicemail themed phishing emails. For example, “XXXXXX left you a Voicemail at 07:30 am,” where the Xs represent a redacted phone number with the area code. The email contains the link to the custom collaboration form created on allo[.]io. (Figure 1).

Figure 1: The phishing link

The form contains the link to a fake Microsoft login page, but the user is first routed through a CloudFlare Turnstile prompt (Figure 2) before accessing the phishing page. Security tools often look for abnormal behaviors or patterns to detect bots and malicious activities. Using Turnstile not only instills a sense of legitimacy in the phishing site for potential victims but also conceals the genuine phishing page from the detection efforts of automated security scanners.

Figure 2: Cloudflare Turnstile Prompt
Figure 3: Fake Microsoft sign-in page

The source code of the phishing page contains an obfuscated code using simple XOR algorithm. Upon decoding, we can see that the page points to the JavaScript file that gets loaded at 13j7q.umhhs0.com/u352/myscr451443[.]js (Figure 4).

Figure 4: Source code of phishing page

Upon deobfuscating myscr451443[.]js, we see that it’s responsible for holding the user's access to the main content (fake Microsoft sign-in page) while performing necessary security validations via CloudFlare Turnstile.

Figure 5: Deobfuscated myscr451443[.]js showing the snippet of CloudFlare Turnstile code

Further investigating the source code, we can see that the phishing landing page source code is stored under /web6/assets/js/pages.min.js?cb=36 path. The code attempts to fetch the user’s IP address by making the request to httpbin[.]org/ip and sends it over to the server via the POST request to <phishing_domain>/web6/info along with the browser name (derived from user-agent) and the pagelink value, in our example it’s “6x96”.

Figure 6: Snippet of the code responsible for retrieving the public IP of the host
Figure 7: POST request with IP and user-agent

The code filters out certain domains to prevent sign-ins from personal emails, which hints that the phishing campaign targets corporate users. If one of the domains in the list is entered, the user will get a message “We couldn't find an account with that username. Try another, or get a new Microsoft account”.

Figure 8: Domains that are filtered out

During the analysis of the network traffic, we observed a communication request directed to the domain ailinux[.]ru. This was subsequently identified and confirmed as an interface to the TycoonGroup control panel (Figures 9-10). TycoonGroup is marketed as a phishing-as-a-service platform and is actively being sold on the Telegram platform.

Figure 9: TycoonGroup control panel
Figure 10: Screenshot from TycoonGroup on Telegram displaying the control panel domain

TycoonGroup boasts a user base of over 2,000. The phishing kits they offer are equipped with a range of features, such as a QR code phishing service, a private antibot system, the ability to bypass two-factor authentication, and the capability to retrieve cookies that remain valid for up to one year, among others (Figure 11).

Figure 11: TycoonGroup advertisement on Telegram channel

Performing the search via URLscan on the “web6/assets” we found over 1000 scan results related to the phishing kit (Figure 12).

Figure 12: URLScan results

What can you learn from this TRU Positive?

What did we do?

Our team of 24/7 Cyber SOC Analysts and Incident Handling Team investigated the suspicious activities, notified the clients, and recommended resetting the passwords and revoking the sessions.

Recommendations from our Threat Response Unit (TRU) Team:


eSentire Unit
eSentire Threat Response Unit (TRU)

The eSentire Threat Response Unit (TRU) is an industry-leading threat research team committed to helping your organization become more resilient. TRU is an elite team of threat hunters and researchers that supports our 24/7 Security Operations Centers (SOCs), builds threat detection models across the eSentire XDR Cloud Platform, and works as an extension of your security team to continuously improve our Managed Detection and Response service. By providing complete visibility across your attack surface and performing global threat sweeps and proactive hypothesis-driven threat hunts augmented by original threat research, we are laser-focused on defending your organization against known and unknown threats.

Read the Latest from eSentire