Executive Summary

On March 4, 2026, a Europol-led coalition of law enforcement and private sector partners dismantled the Tycoon 2FA phishing-as-a-service (PhaaS) platform, which had enabled over 64,000 large-scale phishing attacks globally since its emergence in 2023. Tycoon 2FA specialized in adversary-in-the-middle (AiTM) phishing, allowing threat actors to bypass multifactor authentication (MFA) and compromise accounts across sectors including education, healthcare, finance, government, and non-profit organizations. The takedown involved the seizure of more than 330 domains and the identification of the platform’s primary operator, tracked as Storm-1747 by Microsoft. Despite this disruption, the techniques pioneered by Tycoon 2FA—such as real-time MFA interception, rapid infrastructure rotation, and advanced evasion—are expected to persist in future phishing campaigns. Organizations are advised to adopt phishing-resistant MFA, enhance session and device controls, and maintain robust detection and response capabilities to mitigate ongoing risks. All information in this summary is directly supported by the cited sources (Intel 471, Microsoft).

Technical Information

Tycoon 2FA was a sophisticated phishing-as-a-service (PhaaS) platform that enabled threat actors to conduct large-scale credential harvesting and account takeover campaigns by bypassing multifactor authentication (MFA). The platform emerged in 2023 as a standard phishing kit and evolved in early 2024 into a full-featured adversary-in-the-middle (AiTM) service (Intel 471). This evolution allowed attackers to intercept both user credentials and session cookies during live authentication sessions, granting persistent access to compromised accounts even after password resets unless sessions were explicitly revoked (Microsoft).

Attack Chain

The typical Tycoon 2FA attack began with a phishing email, often themed as payment confirmations, voicemail notifications, or legal notices. These emails contained malicious links or attachments—such as PDFs, SVGs, HTML, or DOCX files—frequently embedded with QR codes or JavaScript (Intel 471, Microsoft). When a victim clicked a link or scanned a QR code, they were redirected to a phishing site protected by a CAPTCHA or Cloudflare Turnstile challenge, designed to block automated analysis and ensure only real users proceeded.

The phishing site dynamically generated a login page that mimicked the branding, logos, and color schemes of the victim’s organization or a trusted service such as Microsoft 365, Outlook, SharePoint, OneDrive, Gmail, Docusign, or GoDaddy. This was achieved by parsing the victim’s email address and tailoring the page accordingly (Intel 471). The site then prompted the user to enter their credentials and complete the MFA process. Tycoon 2FA acted as a proxy, relaying these credentials and MFA codes to the legitimate service in real time, capturing the resulting session cookie.

Once the session cookie was obtained, attackers could access the victim’s account without further authentication, even if the password was changed, unless all active sessions and tokens were revoked (Microsoft). Attackers often established persistence by modifying mailbox rules, registering new authenticator apps, or launching additional phishing campaigns from compromised accounts.

Infrastructure and Evasion

Tycoon 2FA infrastructure was highly dynamic, leveraging rapid domain and subdomain rotation, a wide variety of top-level domains (TLDs), and short-lived fully qualified domain names (FQDNs) that often existed for only 24–72 hours (Microsoft). Domains were registered with privacy protection and hosted primarily on Cloudflare. Subdomains often used recognizable words or brand names to evade detection models based on entropy or irregularity.

The platform employed advanced evasion techniques, including heavy JavaScript and HTML obfuscation, anti-debugging and anti-copy mechanisms, browser fingerprinting, and custom CAPTCHA challenges that changed frequently. If automated analysis or suspicious activity was detected, the phishing kit redirected users to benign decoy pages or legitimate sites, further complicating detection and investigation (Intel 471, Microsoft).

Platform Features and Operator Model

Tycoon 2FA was sold and supported primarily through Telegram and Signal channels, with access starting at approximately $120 USD for 10 days and $350 USD for a month (Microsoft). The web-based administration panel allowed operators to configure campaigns, select lure templates, customize branding, manage redirect logic, and track victim interactions in real time. Captured credentials and session cookies were exfiltrated via encrypted channels, often through Telegram bots.

The platform’s accessibility and automation lowered the barrier to entry for less technically skilled threat actors, while its adaptability and regular updates attracted more experienced operators. By mid-2025, Tycoon 2FA accounted for 62% of all phishing attempts blocked by Microsoft, with tens of millions of phishing emails sent monthly and nearly 100,000 organizations affected globally (Intel 471, Microsoft).

Hybridization and Code Reuse

In late 2025, malware analysis revealed hybrid phishing kits combining code from Tycoon 2FA and the now-defunct Salty 2FA platform. This blending of infrastructure and payloads complicated detection and attribution, as single campaigns could leverage features from multiple kits (Intel 471).

MITRE ATT&CK Mapping

• Initial Access: T1566.001 (Phishing: Spearphishing Attachment), T1566.002 (Phishing: Spearphishing Link)

• Execution: T1204.002 (User Execution: Malicious File)

• Defense Evasion: T1027 (Obfuscated Files or Information), T1036 (Masquerading)

• Credential Access: T1556.002 (Modify Authentication Process: AiTM), T1110.002 (Brute Force: Password Guessing)

• Collection: T1114 (Email Collection)

• Exfiltration: T1041 (Exfiltration Over C2 Channel)

• Persistence: T1098 (Account Manipulation)

Attribution

Microsoft attributes the operation of Tycoon 2FA to the threat actor Storm-1747 with high confidence, based on technical evidence and law enforcement action (Microsoft). However, due to the PhaaS model, multiple criminal groups and individuals rented and used the platform, making attribution for individual incidents challenging. There is no corroborated evidence of nation-state use as of March 2026 (Intel 471).

Affected Versions & Timeline

Tycoon 2FA was first observed in 2023 as a standard phishing kit and evolved into an AiTM platform in early 2024. Its infrastructure and capabilities were continuously updated through 2025 and early 2026. The platform was responsible for over 64,000 confirmed phishing incidents and tens of millions of phishing emails each month, affecting nearly 100,000 organizations worldwide (Intel 471, Microsoft).

Key timeline events: - 2023: Emergence as a standard phishing kit. - Early 2024: Transition to AiTM platform with real-time MFA bypass. - Mid-2025: Dominant PhaaS, responsible for 62% of phishing attempts blocked by Microsoft. - Late 2025: Hybridization with Salty 2FA observed. - Jan–Feb 2026: Surge in campaigns using new TLDs and hybrid kits. - March 4, 2026: Europol-led takedown, with 330+ domains seized and infrastructure dismantled (Intel 471, Microsoft).

Threat Activity

Tycoon 2FA enabled a wide range of threat actors, from novices to experienced cybercriminals, to conduct scalable phishing campaigns targeting organizations across all sectors. The platform’s AiTM capabilities allowed attackers to bypass MFA and gain persistent access to accounts, leading to credential theft, session hijacking, and potential follow-on activities such as business email compromise, data exfiltration, and fraud (Intel 471, Microsoft).

Sector-specific targeting included education, healthcare, finance, government, and non-profit organizations. Phishing lures were tailored to mimic trusted brands and workflows relevant to each sector. The global reach of the platform resulted in nearly 100,000 organizations being affected, with campaigns observed in North America, Europe, and other regions.

The takedown of Tycoon 2FA disrupted a major source of account takeover and cybercrime, but the techniques it pioneered—such as AiTM phishing, rapid infrastructure rotation, and advanced evasion—are likely to be adopted by other threat actors and platforms.

Mitigation & Workarounds

Mitigation recommendations are prioritized by severity:

Critical - Enforce phishing-resistant MFA: Transition to hardware-backed security keys (such as YubiKey), certificate-based authentication, or passkeys. Avoid reliance on SMS or app-based codes alone (Intel 471, Microsoft). - Immediately reset credentials and revoke all active sessions/tokens for any suspected compromised accounts. Re-register or remove MFA devices as needed (Microsoft).

High - Strengthen session and device controls: Use Microsoft Entra Conditional Access to require managed device compliance and disable legacy authentication. Monitor for post-authentication anomalies, such as impossible travel or unauthorized session hijacking (Intel 471, Microsoft). - Harden email and web gateways: Deploy security layers to detect AiTM signatures and block known PhaaS infrastructure via DNS/URL filtering. Enable Microsoft Defender for Office 365 features such as Safe Links, Safe Attachments, and Zero-hour auto purge (ZAP) (Microsoft).

Medium - Ensure user awareness: Train employees to recognize unsolicited login requests and encourage the use of official websites and apps over email-delivered links (Intel 471). - Proactively detect and respond: Flag unauthorized mail routing rules and suspicious account-level permissions. Use Microsoft Defender for Cloud Apps to detect session cookie theft (Intel 471, Microsoft).

Low - Run simulated phishing campaigns to test user resilience and reinforce training. - Regularly review and update security policies to align with evolving phishing and identity attack techniques.

References

Intel 471, "Born to bypass MFA: Taking down Tycoon 2FA", March 4, 2026: https://www.intel471.com/blog/born-to-bypass-mfa-taking-down-tycoon-2fa

Microsoft Security Blog, "Inside Tycoon2FA: How a leading AiTM phishing kit operated at scale", March 4, 2026: https://www.microsoft.com/en-us/security/blog/2026/03/04/inside-tycoon2fa-how-a-leading-aitm-phishing-kit-operated-at-scale/

About Rescana

Rescana provides a third-party risk management (TPRM) platform that enables organizations to continuously monitor, assess, and respond to evolving threats in their digital supply chain. Our platform supports the identification of phishing infrastructure, detection of credential harvesting campaigns, and assessment of vendor security posture. For questions regarding this incident or to discuss how Rescana can support your organization’s security operations, contact us at ops@rescana.com.