Law enforcement, tech firms disrupt Tycoon 2FA phishing-as-a-service

Authorities and cybersecurity companies have coordinated a major disruption of a phishing infrastructure responsible for large-scale enterprise credential theft.

What happened

Microsoft, Europol, and several cybersecurity firms moved to disrupt Tycoon 2FA, a phishing service that allowed attackers to bypass multi-factor authentication and compromise enterprise accounts. According to ITPro, the platform used an adversary-in-the-middle technique, placing a fake login page between the victim and the real service, allowing attackers to intercept usernames, passwords, and authentication codes in real time as users attempted to sign in to services such as Microsoft 365 or Google Accounts. Once login credentials and verification codes were entered, the platform captured session cookies, which are login tokens that keep users signed in, enabling attackers to hijack authenticated sessions without requesting the verification code again. Investigators said the service sent tens of millions of phishing messages and reached more than 500,000 organizations worldwide each month, with the campaign linked to more than 96,000 phishing victims, including tens of thousands of Microsoft customers.

Going deeper

Tycoon 2FA operated as a phishing-as-a-service platform that made advanced phishing attacks easier for criminals to execute. The service provided ready-made phishing templates, realistic login pages, and infrastructure that captured both passwords and authentication tokens during the sign-in process. Access costs about $120 for ten days or $350 for a month, lowering the barrier for attackers to launch large-scale phishing campaigns. Once attackers captured session tokens, which are temporary authentication credentials that keep a user logged in, they could access corporate email accounts without needing the password again. In many cases, the intrusion expanded into business email compromise (BEC), in which attackers sent fraudulent invoices or payment requests from legitimate accounts, making the messages appear trustworthy to partners and vendors.

What was said

Steven Masada, assistant general counsel in Microsoft’s Digital Crimes Unit, said coordinated enforcement was needed to address the scale of the Tycoon 2FA threat. Referring to the takedown effort, Masada said, “Disrupting Tycoon 2FA spanned multiple jurisdictions, underscoring why sustained, coordinated pressure is essential, especially as cybercrime becomes more scalable through automation and AI.” Separately, Cloudflare explained that once attackers gained access to legitimate accounts, they could carry out additional fraud because messages appeared to come from a trusted, authenticated user. In a company blog cited by ITPro, Cloudflare wrote that “because the fraudulent request originated from a trusted, authenticated account, this multi-stage fraud model bypassed traditional email security filters.”

The bottom line

Research cited by SecurityInfoWatch shows that phishing operations now resemble structured marketplaces built for scale and rapid monetization. The study reviewed more than 8,600 discussions across underground forums, dark web marketplaces, and encrypted messaging platforms, finding that phishing kits have become the backbone of a service-driven cybercrime economy. About 43.8% of underground listings referenced phishing panels capable of impersonating multiple brands simultaneously, allowing attackers to run campaigns across banking, e-commerce, and payment services. Platforms such as EvilProxy and Typhoon 2FA appeared frequently in the dataset, linking them to a large share of recent credential theft and account takeover campaigns.

FAQs

What is phishing-as-a-service?

Phishing-as-a-service refers to criminal platforms that sell ready-to-use phishing infrastructure, allowing attackers to run credential theft campaigns without developing their own tools.

How does adversary-in-the-middle phishing bypass multifactor authentication?

The technique places a proxy between the victim and the real login service. When the user enters credentials and verification codes, the attacker captures them in real time and steals the authenticated session token.

What are session cookies and why are they valuable to attackers?

Session cookies are authentication tokens created after a successful login. If attackers capture them, they can access the account without needing the user’s password or verification code again.

Why are enterprise email accounts often targeted in these campaigns?

Corporate email accounts provide access to sensitive communications, financial workflows, and vendor relationships, making them valuable for fraud and further lateral movement.

Does dismantling a phishing platform stop the attacks permanently?

Takedowns disrupt infrastructure and reduce activity temporarily, however security researchers warn that operators often rebuild or migrate services to new infrastructure.