Tykit – New SVG Phishing Kit Steals Microsoft 365 Logins

Sensorstechforum.com investigation — A recently surfaced phishing-as-a-service (PhaaS) kit dubbed Tykit has been weaponizing SVG attachments since May 2025 to steal corporate Microsoft 365 credentials. The kit blends multi-stage redirection, heavily obfuscated JavaScript, and anti-bot checks to dodge automated scanning, funneling victims to convincingly spoofed Microsoft login portals.

Why SVG Files? The Misunderstood “Image” Vector

• SVG is XML-based and can legally include scripts and event handlers. Attackers embed JavaScript that executes on open/view, turning a seemingly harmless graphic into a redirector or a full phishing page.
• Many secure email gateways and attachment filters still treat SVGs like static images, performing shallow MIME checks instead of deep content inspection, which helps malicious samples slip through.
• Industry tracking in 2025 highlighted a surge in SVG-based lures across enterprise mailboxes, prompting platform changes and new detections.

Anatomy of a Tykit Attack

• Stage 1 — Delivery via SVG: The email lure (invoice, payroll slip, project asset) carries an SVG attachment or link. Inside, the attacker hides a JavaScript payload that reconstructs itself at runtime (e.g., XOR/string-split techniques) and fires a silent redirect when opened.
• Stage 2 — “Trampoline” Redirect: Victims are shuttled to an intermediate page (“trampoline”) that runs lightweight checks and sometimes displays a decoy prompt (e.g., “enter the last 4 digits of your phone”). The parameterized URL often includes a base64-encoded email to personalize the flow.
• Stage 3 — Anti-bot Gate: The chain commonly shows an anti-automation widget (e.g., Cloudflare Turnstile) to frustrate scanners and create legitimacy before the final hand-off.
• Stage 4 — Fake Microsoft 365 Login: A polished replica page validates email formats and nudges users to re-enter credentials if “incorrect.”
• Stage 5 — Real-time Exfiltration: Credentials are posted to attacker APIs (e.g., /api/validate, /api/login), with responses guiding the user journey (success, error, or re-try). Infrastructure overlaps observed across campaigns indicate reuse of a shared kit.

What’s at Stake

• Credential theft → downstream compromise: Email, OneDrive, SharePoint, Teams, and other M365 workloads become accessible to intruders.
• Business Email Compromise (BEC): Stolen accounts fuel internal spear-phishing, invoice fraud, and executive impersonation.
• Lateral movement: Attackers leverage valid creds to pivot, escalate privileges, and stage ransomware or data theft.

Known Indicators & Patterns (Defanged)

• Domain pattern: segy* — recurring strings in Tykit C2/exfil domains (e.g., segy[.]example), useful for pivoting and retro-hunting.
• File artifacts: SVGs with embedded, obfuscated JavaScript; frequent runtime reconstruction (e.g., XOR); usage of eval after decoding.
• Network behavior: Multi-hop redirects; POST requests to /api/validate and /api/login endpoints; occasional secondary logging endpoints like /x.php.
• UX tells: Light-blue “modal”-style SVG art with dashed borders has been observed in some waves as a visual distractor during background execution.

Detection Playbook (SOC/IR)

• Email/Attachment filtering: Treat SVGs as active content. Enable deep content inspection and sandbox detonation for SVGs; block or quarantine where business-justification is weak.
• Behavioral telemetry: Alert on client-side redirects from SVG renders; JavaScript reconstruction/eval in SVG contexts; dev-tools blocking and right-click suppression on pages reached post-SVG.
• Network monitoring: Flag unfamiliar domains matching segy* and similar kit clusters. Inspect sequences of 302s culminating in M365 look-alike hosts.
• Threat intelligence: Continuously enrich with fresh IOCs, and pivot from a single artifact (domain pattern, hash, landing path) to related infrastructure.

Prevention & Hardening (Security Leaders)

• Enforce strong MFA and Zero Trust: Conditional access, sign-in risk evaluation, and phishing-resistant methods limit credential utility even if harvested.
• Least privilege & segmentation: Reduce blast radius when an identity is compromised.
• Attachment policy: Sanitize or block risky formats (including SVG) for groups that don’t need them; prefer safe viewers that strip active content.
• User experience controls: Consider mail client/server policies that suppress inline SVG rendering; educate users that “image” files can execute logic.
• Response readiness: Practice account lock/reset, OAuth app review, mailbox rule purge, and token revocation for suspected phish incidents.

Rapid Triage Checklist

• Search mailboxes, gateways, and EDR for SVG attachments delivered around the alert window.
• Hunt for redirection chains where the first referer is a local file:// or email-origin SVG view.
• Query proxy/DNS for segy* lookups, and for POSTs to /api/validate / /api/login on non-Microsoft domains.
• Inspect suspicious pages for anti-bot widgets and dev-tools suppression; capture DOM to recover obfuscated scripts.
• Reset affected accounts, revoke sessions/tokens, review mailbox rules and OAuth grants, and enable/step-up MFA.

References & Further Reading

• ANY.RUN overview of Tykit and related IOCs — “Tykit: Phishing kit Overview”
• ANY.RUN campaign analysis across sectors — “Tykit Analysis: New Phishing Kit …”
• Report on Tykit’s SVG lure and template consistency — SC World coverage
• Context: Why SVG is attractive to phishers — Cloudflare research
• Microsoft/industry context on SVG-phish and anti-bot gates — Microsoft Threat Intelligence, TechRadar (Outlook SVG change)

Tykit samples and IOCs: Start pivots with the pattern domainName:"segy*" in your threat intel platform. Defang domains when sharing, and enrich with passive DNS, TLS certs, and WHOIS overlaps.

Got new Tykit samples or fresh IOCs? Tip us at Sensorstechforum.com.

Ventsislav Krastev

Ventsislav is a cybersecurity expert at SensorsTechForum since 2015. He has been researching, covering, helping victims with the latest malware infections plus testing and reviewing software and the newest tech developments. Having graduated Marketing as well, Ventsislav also has passion for learning new shifts and innovations in cybersecurity that become game changers. After studying Value Chain Management, Network Administration and Computer Administration of System Applications, he found his true calling within the cybersecrurity industry and is a strong believer in the education of every user towards online safety and security.

More Posts - Website

Follow Me: