microsoft.2026.html-attachment-tds-captcha-aitm-tycoon2fa
HTML-attachment phishing with visitor-screening TDS and CAPTCHA gate fronting AiTM credential harvesting on multiple PhaaS backends
IIM chain for the large credential-harvesting campaign described in Microsoft's Q1 2026 email threat analysis. A campaign on 2026-03-17 sent over 1.5 million malicious messages to 179,000+ organisations across 43 countries. Opening the HTML attachment redirected the victim to an initial phishing page that screened the visitor before routing them to a CAPTCHA-gated page and finally a fraudulent sign-in page. Microsoft notes that while the campaign shared common tooling and structure, the final phishing payload was hosted across multiple Phishing-as-a-Service providers: mostly Tycoon 2FA, with additional activity linked to Kratos (formerly Sneaky 2FA) and EvilTokens.
Infrastructure map
Role-based chain map
Chain storyline
ordered IIM positionsfile
phishing HTML attachment
url
<initial visitor-screening phishing page>
url
<CAPTCHA-gated routing page>
domain
<Tycoon 2FA AiTM credential endpoint>
Relations
directed infrastructure edgese1redirecte2
confirmed
e2redirecte3
confirmed
e3redirecte4
confirmed
Entities & evidence
observable inventory| ID | Type | Value | Source / evidence |
|---|---|---|---|
e1 |
file | phishing HTML attachment |
Reporting states that when opened, the HTML file redirected victims to an initial phishing page. Reporting states large HTML and ZIP files accounted for a large share of link-based phishing payloads in the quarter. |
e2 |
url | <initial visitor-screening phishing page> |
Reporting states the HTML redirected victims to an initial phishing page that screened the visitor before routing them onward. |
e3 |
url | <CAPTCHA-gated routing page> |
Reporting states the screening page routed the victim to a page presenting a CAPTCHA challenge before serving the fraudulent sign-in page. Reporting states CAPTCHA-gated phishing evolved rapidly across payload types during Q1 2026. |
e4 |
domain | <Tycoon 2FA AiTM credential endpoint> |
Reporting states the final destination was a fraudulent sign-in page for credential harvesting. Reporting states most observed phishing endpoints were associated with Tycoon 2FA, with additional activity linked to Kratos and EvilTokens infrastructure. |
ATT&CK annotations
optional complementary mappingMalicious HTML attachment.
HTML attachment assembles content client-side.
Fraudulent sign-in page impersonates a trusted login.
Tycoon 2FA / Kratos AiTM session and token theft.
Raw IIM JSON canonical body from MANTIS expand
{
"iim_version": "1.1",
"chain_id": "microsoft.2026.html-attachment-tds-captcha-aitm-tycoon2fa",
"title": "HTML-attachment phishing with visitor-screening TDS and CAPTCHA gate fronting AiTM credential harvesting on multiple PhaaS backends",
"description": "IIM chain for the large credential-harvesting campaign described in Microsoft's Q1 2026 email threat analysis. A campaign on 2026-03-17 sent over 1.5 million malicious messages to 179,000+ organisations across 43 countries. Opening the HTML attachment redirected the victim to an initial phishing page that screened the visitor before routing them to a CAPTCHA-gated page and finally a fraudulent sign-in page. Microsoft notes that while the campaign shared common tooling and structure, the final phishing payload was hosted across multiple Phishing-as-a-Service providers: mostly Tycoon 2FA, with additional activity linked to Kratos (formerly Sneaky 2FA) and EvilTokens.",
"actor_id": "unknown",
"observed_at": "2026-03-17T00:00:00Z",
"confidence": "confirmed",
"needs_review": true,
"x_source": {
"title": "Microsoft Details Phishing Campaign Targeting 35,000 Users Across 26 Countries",
"publisher": "The Hacker News (reporting Microsoft research)",
"url": "https://thehackernews.com/2026/05/microsoft-details-phishing-campaign.html",
"published_at": "2026-05",
"accessed_at": "2026-05-30T00:00:00Z",
"source_type": "secondary news report of vendor research (Microsoft)"
},
"x_source_title": "HTML-attachment phishing with visitor-screening TDS and CAPTCHA gate fronting AiTM credential harvesting on multiple PhaaS backends",
"x_source_url": "https://thehackernews.com/2026/05/microsoft-details-phishing-campaign.html",
"x_iocs": {
"phaas_providers": [
"Tycoon 2FA",
"Kratos (formerly Sneaky 2FA)",
"EvilTokens"
],
"primary_campaign_date": "2026-03-17",
"campaign_volume": "1.5M+ malicious messages to 179,000+ orgs across 43 countries",
"delivery_artifact": "HTML attachment",
"fastest_growing_vector_q1": "QR-code phishing",
"end_goal": "credential harvesting (AiTM)"
},
"x_limitations": [
"No specific phishing domains, URLs, or IPs were published in the consulted report; e2/e3/e4 values are placeholders.",
"CAPTCHA human-verification gating is not a v1.0 gating technique (catalog gating = GeoIP / UA / request fingerprint / time-window / single-use token); the CAPTCHA hop is left technique-empty and flagged as a candidate technique.",
"HTML smuggling on the attachment is endpoint/defense-evasion behaviour (ATT&CK T1027.006), not infrastructure.",
"The '35,000 users / 26 countries' headline figure refers to a distinct sub-campaign; the modeled flow uses the 2026-03-17 mass campaign Microsoft described in the same analysis."
],
"entities": [
{
"id": "e1",
"type": "file",
"value": "phishing HTML attachment",
"observed_at": "2026-03-17T00:00:00Z",
"source": "The Hacker News / Microsoft Q1 2026 email threat analysis",
"evidence": [
"Reporting states that when opened, the HTML file redirected victims to an initial phishing page.",
"Reporting states large HTML and ZIP files accounted for a large share of link-based phishing payloads in the quarter."
],
"x_chain_stage": "html_attachment_entry"
},
{
"id": "e2",
"type": "url",
"value": "<initial visitor-screening phishing page>",
"observed_at": "2026-03-17T00:00:00Z",
"source": "The Hacker News / Microsoft Q1 2026 email threat analysis",
"evidence": [
"Reporting states the HTML redirected victims to an initial phishing page that screened the visitor before routing them onward."
],
"x_placeholder": true,
"x_chain_stage": "tds_visitor_screen"
},
{
"id": "e3",
"type": "url",
"value": "<CAPTCHA-gated routing page>",
"observed_at": "2026-03-17T00:00:00Z",
"source": "The Hacker News / Microsoft Q1 2026 email threat analysis",
"evidence": [
"Reporting states the screening page routed the victim to a page presenting a CAPTCHA challenge before serving the fraudulent sign-in page.",
"Reporting states CAPTCHA-gated phishing evolved rapidly across payload types during Q1 2026."
],
"x_placeholder": true,
"x_chain_stage": "captcha_gate"
},
{
"id": "e4",
"type": "domain",
"value": "<Tycoon 2FA AiTM credential endpoint>",
"observed_at": "2026-03-17T00:00:00Z",
"source": "The Hacker News / Microsoft Q1 2026 email threat analysis",
"evidence": [
"Reporting states the final destination was a fraudulent sign-in page for credential harvesting.",
"Reporting states most observed phishing endpoints were associated with Tycoon 2FA, with additional activity linked to Kratos and EvilTokens infrastructure."
],
"x_placeholder": true,
"x_phaas": "Tycoon 2FA / Kratos / EvilTokens",
"x_chain_stage": "aitm_credential_payload"
}
],
"chain": [
{
"entity_id": "e1",
"role": "entry",
"techniques": [],
"role_confidence": "confirmed",
"technique_confidence": "n/a",
"review_notes": "HTML attachment; smuggling is ATT&CK, not infrastructure."
},
{
"entity_id": "e2",
"role": "redirector",
"techniques": [
"IIM-T017"
],
"role_confidence": "confirmed",
"technique_confidence": "likely",
"review_notes": "Visitor-screening-then-route behaviour = Traffic Distribution System. T020 (client filtering) is a plausible alternative if screening was UA/TLS-based."
},
{
"entity_id": "e3",
"role": "redirector",
"techniques": [],
"role_confidence": "confirmed",
"technique_confidence": "n/a",
"review_notes": "CAPTCHA gate has no v1.0 technique; candidate for a 'Human-Verification Gate' technique."
},
{
"entity_id": "e4",
"role": "payload",
"techniques": [],
"role_confidence": "confirmed",
"technique_confidence": "n/a",
"review_notes": "Terminal AiTM credential page (payload role, not a file). PhaaS hosting substrate not specified, so no hosting technique asserted."
}
],
"relations": [
{
"from": "e1",
"to": "e2",
"type": "redirect",
"sequence_order": 1,
"observed_at": "2026-03-17T00:00:00Z",
"confidence": "confirmed",
"x_evidence": [
"Opening the HTML attachment redirects to the initial screening page."
]
},
{
"from": "e2",
"to": "e3",
"type": "redirect",
"sequence_order": 2,
"observed_at": "2026-03-17T00:00:00Z",
"confidence": "confirmed",
"x_evidence": [
"The screening page routes the visitor to the CAPTCHA-gated page."
]
},
{
"from": "e3",
"to": "e4",
"type": "redirect",
"sequence_order": 3,
"observed_at": "2026-03-17T00:00:00Z",
"confidence": "confirmed",
"x_evidence": [
"After the CAPTCHA challenge the victim is served the fraudulent sign-in page."
]
}
],
"attack_annotations": [
{
"technique_id": "T1566.001",
"name": "Phishing: Spearphishing Attachment",
"tactic": "Initial Access",
"comment": "Malicious HTML attachment."
},
{
"technique_id": "T1027.006",
"name": "Obfuscated Files or Information: HTML Smuggling",
"tactic": "Defense Evasion",
"comment": "HTML attachment assembles content client-side."
},
{
"technique_id": "T1656",
"name": "Impersonation",
"tactic": "Defense Evasion",
"comment": "Fraudulent sign-in page impersonates a trusted login."
},
{
"technique_id": "T1557",
"name": "Adversary-in-the-Middle",
"tactic": "Credential Access",
"comment": "Tycoon 2FA / Kratos AiTM session and token theft."
}
]
}