The phishing-as-a-service platform Tycoon2FA, which Europol publicly claimed to have disrupted in early March, has almost fully restored its operations. Despite the seizure of hundreds of domains and the involvement of major technology vendors, the operators behind Tycoon2FA were able to rebuild their infrastructure within days and return to pre‑takedown phishing volumes.
Europol’s Operation Against Tycoon2FA: Impact and Real Limitations
The coordinated law enforcement action, led by Europol with technical support from Microsoft, aimed to destabilize the phishing‑as‑a‑service (PhaaS) ecosystem that Tycoon2FA powers. Authorities in Latvia, Lithuania, Portugal, Poland, Spain, and the United Kingdom seized around 330 domains used as management panels, phishing landing pages, and other infrastructure components.
Analysis by CrowdStrike shows that immediately after the operation, Tycoon2FA’s phishing email volume on 4–5 March dropped to roughly 25% of its usual level. However, only a few days later the platform’s activity rebounded to levels comparable to those seen at the beginning of the year. This rapid recovery underscores how resilient mature PhaaS platforms are to isolated infrastructure takedowns.
How Tycoon2FA Phishing-as-a-Service Targets Microsoft 365 and Gmail
Tycoon2FA operates as a commercial phishing-as-a-service offering, renting out ready‑made phishing infrastructure to other threat actors. Its primary targets are Microsoft 365 and Google Workspace / Gmail cloud accounts, which commonly hold sensitive business data, email communications, and access to additional corporate resources.
By outsourcing infrastructure, templates, and automation to platforms like Tycoon2FA, less technically skilled attackers can run large‑scale phishing campaigns with minimal effort and cost. This “platformization” of cybercrime is a key factor behind the persistently high volume and sophistication of modern phishing attacks.
Adversary-in-the-Middle: How Tycoon2FA Bypasses MFA
The most dangerous capability of Tycoon2FA is its use of adversary‑in‑the‑middle (AitM) techniques. In an AitM attack, the victim is redirected to a fake login page that is visually almost identical to the legitimate Microsoft or Google sign‑in page. Behind the scenes, all traffic is proxied through an attacker‑controlled server.
This setup allows the platform to:
• Steal usernames and passwords entered by the victim;
• Capture session cookies after successful authentication;
• Bypass multi‑factor authentication (MFA), because the attacker reuses the stolen, valid session cookie instead of needing the victim’s second factor again.
According to Microsoft’s public reporting, at its peak Tycoon2FA was responsible for roughly 30 million phishing emails per month and was linked to about 62% of all phishing messages blocked by the company’s defenses. These figures place Tycoon2FA among the most influential phishing‑as‑a‑service platforms in the global threat landscape.
New Tycoon2FA Campaigns: BEC, SharePoint Abuse and AI‑Enhanced Phishing
CrowdStrike’s recent reporting indicates that Tycoon2FA’s core tactics have changed very little after the Europol operation. The platform continues to be widely used for:
• Compromising cloud email and collaboration accounts;
• Launching business email compromise (BEC) attacks by hijacking legitimate business conversations;
• Thread hijacking, where attackers reply within existing email chains to increase trust;
• Distributing malicious links through SharePoint and other cloud services to evade traditional email filters.
Newer campaigns increasingly rely on:
• URL shorteners to hide the true phishing domain;
• Abuse of legitimate online services (such as document‑sharing and presentation platforms) as redirectors;
• Use of compromised domains, which makes reputation‑based blocking more difficult;
• AI‑generated phishing pages and content, improving the realism of fake login portals and reducing the chances that users will spot visual anomalies.
Why Tycoon2FA Survived: The Limits of Infrastructure-Only Operations
CrowdStrike notes that parts of the original Tycoon2FA infrastructure were never taken offline and continued to operate throughout the law enforcement action. In parallel, the operators rapidly registered new domains and IP addresses, replacing much of what was seized. As a result, the removal of 330 domains amounted to a temporary and partial disruption rather than a decisive shutdown.
This case highlights a broader structural challenge in fighting phishing‑as‑a‑service platforms. Without arresting operators and physically seizing core servers, criminals can rebuild relatively quickly by automating domain registration, using distributed hosting providers, and relying on anonymous or cryptocurrency‑based payment channels. As long as demand for turnkey phishing services remains high, the economic incentives for PhaaS operators persist.
For organizations, Tycoon2FA is a reminder that even large‑scale law‑enforcement operations are not a substitute for robust internal defenses. Deploying phishing‑resistant authentication methods such as FIDO2 security keys, enforcing strict access policies for cloud services, monitoring for anomalous logins and session behavior, and continuously training employees to recognize and verify suspicious emails and links are critical. Reducing the success rate of AitM phishing and BEC attacks is the most effective way to erode the business model of platforms like Tycoon2FA and make large‑scale phishing‑as‑a‑service operations significantly less profitable.
