{
  "iim_version": "1.1",
  "chain_id": "microsoft.2026.html-attachment-tds-captcha-aitm-tycoon2fa",
  "title": "HTML-attachment phishing with visitor-screening TDS and CAPTCHA gate fronting AiTM credential harvesting on multiple PhaaS backends",
  "description": "IIM chain for the large credential-harvesting campaign described in Microsoft's Q1 2026 email threat analysis. A campaign on 2026-03-17 sent over 1.5 million malicious messages to 179,000+ organisations across 43 countries. Opening the HTML attachment redirected the victim to an initial phishing page that screened the visitor before routing them to a CAPTCHA-gated page and finally a fraudulent sign-in page. Microsoft notes that while the campaign shared common tooling and structure, the final phishing payload was hosted across multiple Phishing-as-a-Service providers: mostly Tycoon 2FA, with additional activity linked to Kratos (formerly Sneaky 2FA) and EvilTokens.",
  "actor_id": "unknown",
  "observed_at": "2026-03-17T00:00:00Z",
  "confidence": "confirmed",
  "needs_review": true,
  "x_source": {
    "title": "Microsoft Details Phishing Campaign Targeting 35,000 Users Across 26 Countries",
    "publisher": "The Hacker News (reporting Microsoft research)",
    "url": "https://thehackernews.com/2026/05/microsoft-details-phishing-campaign.html",
    "published_at": "2026-05",
    "accessed_at": "2026-05-30T00:00:00Z",
    "source_type": "secondary news report of vendor research (Microsoft)"
  },
  "x_source_title": "HTML-attachment phishing with visitor-screening TDS and CAPTCHA gate fronting AiTM credential harvesting on multiple PhaaS backends",
  "x_source_url": "https://thehackernews.com/2026/05/microsoft-details-phishing-campaign.html",
  "x_iocs": {
    "phaas_providers": [
      "Tycoon 2FA",
      "Kratos (formerly Sneaky 2FA)",
      "EvilTokens"
    ],
    "primary_campaign_date": "2026-03-17",
    "campaign_volume": "1.5M+ malicious messages to 179,000+ orgs across 43 countries",
    "delivery_artifact": "HTML attachment",
    "fastest_growing_vector_q1": "QR-code phishing",
    "end_goal": "credential harvesting (AiTM)"
  },
  "x_limitations": [
    "No specific phishing domains, URLs, or IPs were published in the consulted report; e2/e3/e4 values are placeholders.",
    "CAPTCHA human-verification gating is not a v1.0 gating technique (catalog gating = GeoIP / UA / request fingerprint / time-window / single-use token); the CAPTCHA hop is left technique-empty and flagged as a candidate technique.",
    "HTML smuggling on the attachment is endpoint/defense-evasion behaviour (ATT&CK T1027.006), not infrastructure.",
    "The '35,000 users / 26 countries' headline figure refers to a distinct sub-campaign; the modeled flow uses the 2026-03-17 mass campaign Microsoft described in the same analysis."
  ],
  "entities": [
    {
      "id": "e1",
      "type": "file",
      "value": "phishing HTML attachment",
      "observed_at": "2026-03-17T00:00:00Z",
      "source": "The Hacker News / Microsoft Q1 2026 email threat analysis",
      "evidence": [
        "Reporting states that when opened, the HTML file redirected victims to an initial phishing page.",
        "Reporting states large HTML and ZIP files accounted for a large share of link-based phishing payloads in the quarter."
      ],
      "x_chain_stage": "html_attachment_entry"
    },
    {
      "id": "e2",
      "type": "url",
      "value": "<initial visitor-screening phishing page>",
      "observed_at": "2026-03-17T00:00:00Z",
      "source": "The Hacker News / Microsoft Q1 2026 email threat analysis",
      "evidence": [
        "Reporting states the HTML redirected victims to an initial phishing page that screened the visitor before routing them onward."
      ],
      "x_placeholder": true,
      "x_chain_stage": "tds_visitor_screen"
    },
    {
      "id": "e3",
      "type": "url",
      "value": "<CAPTCHA-gated routing page>",
      "observed_at": "2026-03-17T00:00:00Z",
      "source": "The Hacker News / Microsoft Q1 2026 email threat analysis",
      "evidence": [
        "Reporting states the screening page routed the victim to a page presenting a CAPTCHA challenge before serving the fraudulent sign-in page.",
        "Reporting states CAPTCHA-gated phishing evolved rapidly across payload types during Q1 2026."
      ],
      "x_placeholder": true,
      "x_chain_stage": "captcha_gate"
    },
    {
      "id": "e4",
      "type": "domain",
      "value": "<Tycoon 2FA AiTM credential endpoint>",
      "observed_at": "2026-03-17T00:00:00Z",
      "source": "The Hacker News / Microsoft Q1 2026 email threat analysis",
      "evidence": [
        "Reporting states the final destination was a fraudulent sign-in page for credential harvesting.",
        "Reporting states most observed phishing endpoints were associated with Tycoon 2FA, with additional activity linked to Kratos and EvilTokens infrastructure."
      ],
      "x_placeholder": true,
      "x_phaas": "Tycoon 2FA / Kratos / EvilTokens",
      "x_chain_stage": "aitm_credential_payload"
    }
  ],
  "chain": [
    {
      "entity_id": "e1",
      "role": "entry",
      "techniques": [],
      "role_confidence": "confirmed",
      "technique_confidence": "n/a",
      "review_notes": "HTML attachment; smuggling is ATT&CK, not infrastructure."
    },
    {
      "entity_id": "e2",
      "role": "redirector",
      "techniques": [
        "IIM-T017"
      ],
      "role_confidence": "confirmed",
      "technique_confidence": "likely",
      "review_notes": "Visitor-screening-then-route behaviour = Traffic Distribution System. T020 (client filtering) is a plausible alternative if screening was UA/TLS-based."
    },
    {
      "entity_id": "e3",
      "role": "redirector",
      "techniques": [],
      "role_confidence": "confirmed",
      "technique_confidence": "n/a",
      "review_notes": "CAPTCHA gate has no v1.0 technique; candidate for a 'Human-Verification Gate' technique."
    },
    {
      "entity_id": "e4",
      "role": "payload",
      "techniques": [],
      "role_confidence": "confirmed",
      "technique_confidence": "n/a",
      "review_notes": "Terminal AiTM credential page (payload role, not a file). PhaaS hosting substrate not specified, so no hosting technique asserted."
    }
  ],
  "relations": [
    {
      "from": "e1",
      "to": "e2",
      "type": "redirect",
      "sequence_order": 1,
      "observed_at": "2026-03-17T00:00:00Z",
      "confidence": "confirmed",
      "x_evidence": [
        "Opening the HTML attachment redirects to the initial screening page."
      ]
    },
    {
      "from": "e2",
      "to": "e3",
      "type": "redirect",
      "sequence_order": 2,
      "observed_at": "2026-03-17T00:00:00Z",
      "confidence": "confirmed",
      "x_evidence": [
        "The screening page routes the visitor to the CAPTCHA-gated page."
      ]
    },
    {
      "from": "e3",
      "to": "e4",
      "type": "redirect",
      "sequence_order": 3,
      "observed_at": "2026-03-17T00:00:00Z",
      "confidence": "confirmed",
      "x_evidence": [
        "After the CAPTCHA challenge the victim is served the fraudulent sign-in page."
      ]
    }
  ],
  "attack_annotations": [
    {
      "technique_id": "T1566.001",
      "name": "Phishing: Spearphishing Attachment",
      "tactic": "Initial Access",
      "comment": "Malicious HTML attachment."
    },
    {
      "technique_id": "T1027.006",
      "name": "Obfuscated Files or Information: HTML Smuggling",
      "tactic": "Defense Evasion",
      "comment": "HTML attachment assembles content client-side."
    },
    {
      "technique_id": "T1656",
      "name": "Impersonation",
      "tactic": "Defense Evasion",
      "comment": "Fraudulent sign-in page impersonates a trusted login."
    },
    {
      "technique_id": "T1557",
      "name": "Adversary-in-the-Middle",
      "tactic": "Credential Access",
      "comment": "Tycoon 2FA / Kratos AiTM session and token theft."
    }
  ]
}