Tykit Scam

Cybersecurity researchers have uncovered Tykit, a phishing kit built to harvest Microsoft 365 credentials through a sophisticated, multi-stage attack chain. The operation relies on malicious SVG files, anti-bot checks, and convincing login pages to bypass traditional defenses and trick users into surrendering their accounts.

What Happened With Tykit

Tykit, also referred to as “Typical PhishKIT,” surfaced in 2025 and quickly spread across multiple industries. The campaign starts with emails containing SVG attachments disguised as invoices, protected documents, or business-related files.

Unlike ordinary images, SVG files can contain JavaScript. Once opened, embedded code redirects victims through several stages:

1. A malicious SVG launches hidden scripts.
2. Victims are sent to an intermediate page.
3. A CAPTCHA, often Cloudflare Turnstile, filters out automated analysis systems.
4. Users arrive at a counterfeit Microsoft 365 login page.
5. Credentials are transmitted to attacker-controlled infrastructure via API requests.

Researchers observed common patterns across hundreds of samples, suggesting Tykit operates as a mature phishing-as-a-service platform rather than isolated campaigns.

Who Tykit Affects

Tykit primarily targets organizations using Microsoft 365. Sectors affected by the campaign include:

• Finance
• Construction
• Information technology
• Government agencies
• Telecommunications
• Professional services
• Real estate
• Education

Victims have been identified across North America, Europe, Southeast Asia, Latin America, and the Middle East. Successful account compromise can expose:

• Outlook email accounts
• OneDrive files
• SharePoint resources
• Teams communications
• Internal business systems

Stolen credentials may also pave the way for business email compromise (BEC), lateral movement, and even ransomware attacks.

Expert Commentary on Tykit

Tykit highlights how attackers are increasingly abusing trusted technologies and even security mechanisms to improve their success rates.

SVG Attachments as Attack Vectors

Many email gateways treat SVG files as harmless images, allowing malicious scripts to slip past basic inspection. Hidden JavaScript is reconstructed at runtime through obfuscation techniques before redirecting victims to phishing pages.

Anti-Bot Evasion

Cloudflare Turnstile CAPTCHA is used to keep automated scanners and analysis systems away from the phishing infrastructure, making detection more difficult.

Adversary-in-the-Middle Techniques

Tykit goes beyond simple credential theft. It can intercept authentication sessions and steal tokens, potentially bypassing some forms of multi-factor authentication.

Reusable Infrastructure

Researchers identified recurring domain structures and API endpoints such as /api/validate and /api/login, suggesting centralized infrastructure shared across multiple campaigns.

How to Stay Safe From Tykit

Organizations should adopt layered defenses against phishing threats:

• Treat SVG attachments as active content rather than harmless images.
• Enable deep inspection and sandbox analysis for email attachments.
• Restrict or block SVG files if they are not required for business operations.
• Deploy phishing-resistant MFA methods such as FIDO2 security keys.
• Monitor for suspicious redirects and unusual API traffic.
• Review mailbox rules and OAuth permissions after suspected compromises.
• Train employees to recognize unexpected document emails and login prompts.
• Disable legacy authentication protocols whenever possible.

Conclusion

Tykit demonstrates how phishing operations have evolved into highly organized services capable of bypassing many traditional security layers. By combining malicious SVG files, anti-analysis techniques, and realistic Microsoft 365 impersonation pages, attackers significantly increase their chances of stealing credentials. Organizations that depend heavily on cloud identities should view these campaigns as identity attacks and implement multiple layers of protection to minimize risk.