International law-enforcement agencies, coordinated by Europol and technically supported by Microsoft, have dismantled the infrastructure of Tycoon2FA — one of the world’s most influential phishing‑as‑a‑service (PhaaS) platforms focused on bypassing multi‑factor authentication (MFA). During the operation, investigators disrupted the service and seized more than 330 domains, including operator control panels and phishing sites used in active campaigns.
Global operation against Tycoon2FA: Europol, Microsoft and private‑sector partners
Microsoft coordinated the technical side of the operation, leveraging its incident response teams and a broad network of private partners. Law‑enforcement agencies in Latvia, Lithuania, Portugal, Poland, Spain and the United Kingdom carried out the infrastructure takedowns and domain seizures.
The investigation began after Trend Micro shared initial intelligence on Tycoon2FA’s infrastructure and activity with Europol. The case quickly evolved into a large multi‑stakeholder effort involving Cloudflare, Coinbase, Intel471, Proofpoint, Shadowserver Foundation, SpyCloud, eSentire, Resecurity and several other organisations.
This model of cooperation reflects the current reality of cybercrime response: data sharing, automated exchange of indicators of compromise (IOCs) and cross‑border legal collaboration are essential to disrupting industrial‑scale platforms such as PhaaS offerings.
How Tycoon2FA phishing‑as‑a‑service operated at scale
Tycoon2FA (also marketed as Tycoon 2FA and attributed by Microsoft to group Storm‑1747) has been active since August 2023. It provided cybercriminals with a turnkey toolkit to run sophisticated phishing campaigns without deep technical expertise.
According to Microsoft, by mid‑2025 Tycoon2FA was generating tens of millions of phishing emails every month, targeting more than 500,000 organisations worldwide. Up to 60% of all blocked phishing attacks observed in Microsoft’s ecosystem could be traced to this single platform, making it a dominant player in the PhaaS underground market.
Nearly 100,000 organisations were assessed as victims, including government agencies, educational institutions and healthcare providers. Access to the service was sold via Telegram on a subscription basis, at about $120 for 10 days. Such low pricing and ease of use substantially lowered the barrier to entry, enabling even low‑skilled attackers to launch complex, large‑scale phishing campaigns.
Adversary-in-the-middle attacks and MFA bypass
Reverse-proxy phishing and real-time session hijacking
From a technical standpoint, Tycoon2FA was a classic adversary‑in‑the‑middle (AitM) platform. It relied on a reverse proxy to transparently intercept victims’ credentials and session cookies in real time.
Attackers deployed phishing pages closely imitating legitimate Microsoft 365, OneDrive, Outlook, SharePoint and Gmail login forms. Users were lured to these domains and entered their username, password and MFA code, believing they were logging into genuine services.
Tycoon2FA’s infrastructure relayed this data and the MFA code to the real authentication service, while simultaneously harvesting valid session cookies and tokens for the attacker. For the victim, the login process appeared normal; for the attacker, it granted immediate access to an already authenticated session, effectively bypassing MFA.
In many cases, stolen cookies and tokens remained valid even after a password change, until active sessions were explicitly revoked by an administrator or the user. This behaviour is consistent with modern cloud authentication flows and highlights why simple credential resets are insufficient after an AitM compromise.
Why traditional MFA is not enough against modern phishing
Tycoon2FA demonstrates a key limitation of traditional MFA mechanisms such as one‑time passwords (OTP) and push notifications. In an AitM scenario, the attacker does not need to store the MFA code for later use. Instead, the code is relayed in real time through the proxy, allowing the legitimate MFA challenge to be satisfied on behalf of the attacker.
As highlighted in reports such as the Verizon Data Breach Investigations Report (DBIR) and guidance from agencies like CISA, organisations increasingly require phishing‑resistant MFA. This includes FIDO2/WebAuthn authentication, hardware security keys and passkeys, which cryptographically bind authentication to the legitimate domain and are resistant to AitM replay.
Lessons for organisations: strengthening account security and MFA defenses
The scale of Tycoon2FA and its share of blocked phishing traffic underline the maturity of the phishing‑as‑a‑service ecosystem. Professionally operated platforms remove both the technical and financial barriers for attackers, which is particularly dangerous for small and mid‑sized organisations that rely solely on basic MFA and email filtering.
Organisations should revisit their identity and access security architecture, prioritising:
1. Phishing‑resistant MFA. Deploy hardware security keys, FIDO2/WebAuthn and passkeys for high‑value accounts and privileged users, gradually expanding coverage to the wider workforce.
2. Session and token hardening. Reduce session lifetimes, enforce strict token revocation policies after suspicious activity, and use continuous access evaluation where available.
3. Conditional access controls. Evaluate device health, geolocation, user risk and anomalous behaviour (for example, “impossible travel” or logins from new devices) before granting access.
4. Advanced email and web protection. Implement modern secure email gateways, sandboxing, URL rewriting and DNS/web filtering, combined with rigorous DMARC, SPF and DKIM policies to reduce spoofing and domain abuse.
5. Security awareness and simulation. Regularly train employees to recognise AitM‑style phishing, run realistic phishing simulations, and ensure clear processes for reporting suspicious messages.
The takedown of Tycoon2FA is a significant achievement for law enforcement and the cybersecurity industry, but it does not mark the end of the PhaaS business model. New platforms inevitably emerge, often learning from previous disruptions and improving their tradecraft. Organisations that treat AitM phishing and MFA bypass as everyday operational risks — investing in phishing‑resistant MFA, robust token management and continuous user education — will be far better positioned to withstand the next generation of large‑scale phishing campaigns.
