The Tykit phishing kit represents a sophisticated credential theft campaign targeting Microsoft 365 users across multiple industries worldwide, including Europe. It leverages SVG files as an unconventional delivery vector to bypass traditional email and web filters. Upon user interaction, Tykit initiates a multi-stage attack chain that executes client-side code in several phases, effectively mimicking legitimate Microsoft login pages to harvest credentials. To evade detection and automated analysis, the kit integrates Cloudflare Turnstile, a CAPTCHA-like anti-bot service, and implements basic anti-debugging techniques. The exfiltration of stolen credentials occurs through a series of API calls to command and control servers hosted on domains such as segy.cc and variants, as well as obfuscated subdomains mimicking Microsoft login URLs. The campaign has been active since May 2025 and affects sectors including finance, construction, IT, professional services, government, and telecom. The use of multi-stage execution and evasion tactics increases the difficulty of detection by conventional security solutions. While no known exploits or CVEs are associated with Tykit, its reliance on social engineering and phishing makes user awareness critical. The absence of authentication requirements lowers the barrier for attackers, but user interaction remains necessary for successful compromise.

For European organizations, the Tykit phishing kit poses a significant threat to the confidentiality of Microsoft 365 credentials, which can lead to unauthorized access to sensitive corporate data, email compromise, and potential lateral movement within networks. Given the widespread adoption of Microsoft 365 across Europe, especially in finance, government, and professional services sectors, successful credential theft could result in data breaches, regulatory non-compliance (e.g., GDPR violations), financial fraud, and reputational damage. The multi-industry targeting and global distribution of victims indicate a broad attack surface. Additionally, compromised accounts could be leveraged for further phishing campaigns or ransomware deployment. The use of Cloudflare Turnstile complicates automated detection and blocking, increasing the risk of successful phishing attempts. The medium severity rating reflects the balance between the need for user interaction and the high impact of credential compromise in critical sectors.

European organizations should implement targeted anti-phishing training emphasizing the risks of SVG file attachments and the recognition of sophisticated phishing pages mimicking Microsoft login portals. Deploy advanced email filtering solutions capable of inspecting SVG content and detecting multi-stage phishing payloads. Integrate multi-factor authentication (MFA) for all Microsoft 365 accounts to reduce the risk of account compromise even if credentials are stolen. Monitor network traffic for suspicious API calls to known malicious domains such as segy.cc and its variants, and block these domains at the network perimeter. Employ endpoint detection and response (EDR) tools to identify and quarantine suspicious client-side script execution. Regularly update threat intelligence feeds with indicators of compromise (IOCs) including file hashes and malicious domains associated with Tykit. Conduct phishing simulation exercises tailored to the industries most affected. Finally, enforce strict conditional access policies in Microsoft 365 to limit access based on risk factors and device compliance.