Tykit: The New SVG Phishing Kit Targeting Microsoft 365

A New Vector in Credential Theft

The threat landscape is in a constant state of flux, with malicious actors continually innovating to bypass security controls. A recent analysis has uncovered a sophisticated Phishing-as-a-Service (PhaaS) kit, dubbed Tykit, which employs a novel attack vector to compromise corporate Microsoft 365 accounts: malicious Scalable Vector Graphics (SVG) files.

This technique represents a significant evolution in phishing tactics, moving beyond simple links and traditional attachments to leverage a file type often trusted and overlooked by security scanners.

Anatomy of the Tykit Attack Chain

The effectiveness of the Tykit phishing kit lies in its carefully constructed, multi-stage attack chain designed for maximum evasion and user deception. Bl4ckPhoenix Security Labs has examined the core components of this emerging threat.

1. The Lure: The Deceptive SVG File

The attack begins with a phishing email containing a seemingly harmless SVG file attachment. Unlike raster images (like JPEGs or PNGs), SVGs are XML-based vector images, meaning they can embed scripts, such as JavaScript. Threat actors exploit this capability to hide their initial payload within a file format that may not be scrutinized as heavily as executables or documents with macros.

2. Evasion Through Redirection and Obfuscation

Upon opening the SVG file in a web browser, an embedded and heavily obfuscated JavaScript payload executes. This script initiates a series of redirections, passing the user through multiple intermediary URLs before reaching the final phishing page. This redirection chain is a classic evasion technique designed to thwart automated URL analysis by security gateways, as the final malicious destination is not present in the initial email.

3. Bypassing Automated Analysis with CAPTCHA

One of Tykit's most sophisticated features is its integration of Cloudflare's Turnstile CAPTCHA service. Before the final Microsoft 365 login page is displayed, the victim is presented with a CAPTCHA challenge. This serves two purposes:

• It effectively filters out automated security sandboxes and crawlers, preventing them from analyzing the final phishing page.
• It lends a false sense of legitimacy to the process, as users are accustomed to seeing CAPTCHA challenges on legitimate websites.

The Endgame: Hijacking Corporate Credentials

After successfully navigating the redirection chain and solving the CAPTCHA, the victim lands on a pixel-perfect replica of the Microsoft 365 login portal. Any credentials entered here are captured and exfiltrated directly to the attacker-controlled server, granting them access to the corporate account and all its associated data and services.

Implications for Security Teams

The emergence of Tykit highlights a critical challenge for defenders. Its use of SVG files, multi-stage redirection, and CAPTCHA integration demonstrates a deep understanding of modern security tool limitations. Organizations must re-evaluate their defense-in-depth strategies, recognizing that threat actors are actively exploiting trust in seemingly benign file formats.

This PhaaS kit lowers the barrier to entry for launching sophisticated campaigns, enabling less-skilled actors to target high-value corporate environments. Security awareness training must evolve to educate users about these new, more deceptive techniques, while technical controls should be reviewed to better inspect and handle potentially malicious scripts embedded in a wider range of file types.