Microsoft, Europol, and several security firms have teamed up to disrupt the Tycoon 2FA phishing-as-a-service (PhaaS) platform.
First spotted in August 2023, Tycoon 2FA uses adversary-in-the-middle (AitM) proxying to bypass traditional multi-factor authentication (MFA) and capture session cookies in real time, leading to large-scale account compromise.
It proxies the real Microsoft 365 or Google login page, and when the victim enters their credentials and MFA code, passes them to the legitimate service in real-time.
And once the service says "Identity Confirmed", it sends back a session token – which is grabbed by Tycoon 2FA before it ever reaches the victim's browser, and incorporated into the attacker's own browser. Since the session is already "authenticated," the platform never asks the user for a code.
Thanks to its complete PhaaS ecosystem, Tycoon 2FA lowered the barriers to entry for cyber criminals. It offered convincing phishing templates, realistic landing pages, and real‑time capture of credentials and authentication codes, all incorporated into an easy‑to‑use package that scaled quickly. Phishing kits started at just $120 for 10 days' access and $350 for a month.
Campaigns frequently extended beyond simple account access into Business Email Compromise (BEC) attacks. By leveraging hijacked session tokens, attackers were able to embed themselves within corporate email environments to monitor internal communications and financial workflows.
From here, they could send legitimate-looking invoices from the compromised account to a third-party partner or vendor.
"Because the fraudulent request originated from a trusted, authenticated account, this multi-stage fraud model bypassed traditional email security filters," Cloudflare wrote in a blog post.
"This allowed attackers to successfully divert payments to criminal-controlled mule accounts, resulting in significant financial losses."
The group has been responsible for tens of millions of phishing messages reaching over 500,000 organizations each month worldwide. It's been linked to more than 96,000 distinct phishing victims globally, including more than 55,000 Microsoft customers and around 5,350 distinct phishing victims in the UK.
It's hit sectors including education, healthcare, finance, non-profit, and government. By the middle of last year, Tycoon 2FA accounted for around 62% of all phishing attempts blocked by Microsoft.
Now, though, in action coordinated by Europol's European Cybercrime Centre (EC3), Microsoft has seized 330 domains forming the core infrastructure of the criminal service, including phishing pages and control panels.
"Disrupting Tycoon 2FA spanned multiple jurisdictions, underscoring why sustained, coordinated pressure is essential, especially as cybercrime becomes more scalable through automation and AI," said Steven Masada, assistant general counsel in Microsoft's Digital Crimes Unit.
However, warned Trend Micro, taking down the platform is by no means the end of the job.
"Operators have always been known to adapt, rebuild, and migrate to new infrastructure," said the firm in its blog. "Known and suspected users of Tycoon 2FA can attempt to continue operations, and previously stolen credentials and session cookies remain in circulation."
The participants in the takedown operation said they plan to monitor for signs of the service resurfacing, and investigate the users and administrators they've been able to identify so far.
Swamped with decisions to make, managers turn to AI
Nasuni snaps up Resilio to strengthen file access capabilities
The Total Economic Impact™ of IBM Security MaaS360 with Watson
GitHub launches passkeys beta for passwordless authentication
What is two-factor authentication?
