Born to bypass MFA: Taking down Tycoon 2FA

Key takeaways

• The Tycoon 2FA phishing-as-a-service (PhaaS) platform has been widely used in phishing attacks that bypass multifactor authentication (MFA) protections in credential-harvesting campaigns at scale.
• Tycoon 2FA was linked to over 64,000 phishing incidents and tens of thousands of domains. The platform generated tens of millions of phishing emails each month and facilitated unauthorised access to nearly 100 000 organizations globally.
• On March 4, 2026, Tycoon 2FA operations and infrastructure were taken offline by a partnership of law enforcement and private industry, resulting in hundreds of seized domains, including phishing pages and control panels.
• Intel 471’s research into the PhaaS and tracking of Tycoon 2FA operators’ communications provided key insights into its operations and supported the identification of suspects and victims.

Tycoon 2FA: a dangerous phishing platform

PhaaS platforms have become a key entry point into cybercrime for less sophisticated threat actors. The services enable actors to deploy convincing scams that can fool employees and consumers into disclosing credentials, initiating unintended transactions or installing malware. PhaaS platforms provide ready-to-use phishing kits that mimic the branding and user interfaces of well-known organizations. This has helped to drive up the volume of phishing attacks that enable subsequent account takeover, fraud and network intrusions.

One of the largest and most active PhaaS platforms is Tycoon 2FA — a major PhaaS platform used in large-scale credential-harvesting campaigns that bypass MFA protections. Emerging in 2023, Tycoon 2FA has been linked to over 64,000 phishing incidents and thousands of phishing domains. The platform generated tens of millions of phishing emails each month and facilitated unauthorised access to nearly 100 000 organisations globally, including schools, hospitals and public institutions, according to Microsoft. By mid-2025, Tycoon 2FA accounted for roughly 62% of all phishing attempts blocked by Microsoft.

The coordinated take down of a global PhaaS platform

Intel 471 has worked with law enforcement and private industry in action coordinated by Europol’s European Cybercrime Centre (EC3), culminating in today’s takedown of Tycoon 2FA’s operations and infrastructure.

Microsoft drove the disruption of Tycoon 2FA, seizing 330 domains that formed the platform’s core infrastructure, including phishing pages and control panels. Numerous other domains were seized by law enforcement in Latvia, Lithuania, Portugal, Poland, Spain and the United Kingdom, coordinated by Europol. The alleged ringleader of Tycoon 2FA has been identified and efforts are ongoing to identify Tycoon 2FA affiliates.

The investigation began after TrendAI, a Trend Micro business unit, shared intelligence on Tycoon 2FA that was disseminated through Europol’s EC3 Advisory Groups. Intel 471 was engaged to support the investigation alongside Cloudflare, Coinbase, Microsoft, Proofpoint, Shadowserver Foundation, SpyCloud and TrendAI. Specifically, Intel 471 provided insights into Tycoon PhaaS’ period of operation, insights into its operators' communications and investigative support to identify suspects and victims. This was the first coordinated action through Europol’s Cyber Intelligence Extension Programme (CIEP), which took the coalition of partners beyond intelligence sharing and facilitated a coordinated, cross‑border action that accelerated the disruption of Tycoon 2FA and limited further harm.

The takedown of Tycoon 2FA disrupts a key source for account takeovers and subsequent cybercrime. Tycoon 2FA illustrated how PhaaS offerings can quickly turn basic cybercrime — the collection of personal, financial and credential information — into serious large-scale account takeover, fraud and network intrusions for ransomware deployment.

Confirming the seizure, the splash screen below was displayed to all criminal customers of Tycoon 2FA. It lists the coalition of industry partners supporting the coordinated action, including Intel 471.

The image depicts the Tycoon 2FA takedown splash screen.

Journey from phishing kit to MFA bypass platform

The Tycoon PhaaS was first observed publicly in 2023 as a standard phishing kit that offered ready-made infrastructure designed to enable credential theft at scale. Threat actors could quickly set up fake login pages, sending victims through domains the threat actor controlled that harvested any usernames and passwords the victim entered. This method of stealing login data worked well in environments where MFA was either not present, inconsistently deployed or weak. However, as MFA adoption increased and became stronger, standard phishing kits became ineffective, forcing threat actors to evolve their infrastructure.

Thus, in early 2024, Tycoon 2FA was born. This was not just a rebrand, but a functional change in capability that enabled adversary-in-the-middle (AITM) phishing attacks. The new AITM feature allowed Tycoon 2FA users to sit between the victim and the real login page during a live authentication session. Billed by its operators as the “best 2FA bypass phishing platform,” Tycoon 2FA allowed users to watch victims log in to accounts and complete two-factor authentication (2FA) in real time, then capture the active session cookie for future illicit use. The service also leveraged short-lived subdomains, obfuscated scripts and CAPTCHA controls to minimize detection and analysis from security vendors.

Intel 471’s Adversary Intelligence team investigated the tactics, techniques and procedures (TTPs) the platform’s phishing pages used to obtain 2FA codes, which often involved fake authentication pages mimicking Microsoft 365 and other cloud providers. Our analysts noted that Tycoon 2FA was sold and supported primarily through Telegram channels operated by its alleged developers — often associated with the Saad Tycoon Group or Mr_XaaD handles. Pricing followed a subscription model with short-term access starting at about US $120 to US $200 and longer licenses or premium support costing more.

Overall, the PhaaS primarily was designed to simplify and automate the generation of payloads, including attachments, email body content and URLs. Tycoon 2FA stands out among other PhaaS platforms due to its rapid infrastructure rotation across multiple domains to bypass detections based on traditional indicators, such as URLs, domains and content signatures; frequent updates to bypass improved defenses; and broad adoption by threat actors ranging from novices to more tenured cybercriminals.

Tycoon 2FA is a prime example of how PhaaS platforms evolved alongside advancing MFA security measures. Because the service harvested both passwords and session cookies, MFA on its own no longer was enough to prevent successful phishing attacks. Additionally, Tycoon 2FA greatly lowered the barrier of entry into this area of cybercrime since it was sold as a ready-made service. Threat actors no longer needed sophisticated technical understanding to run or participate in phishing campaigns. Tycoon 2FA was affordable, easy to use and regularly updated, enabling a wide range of threat actors — from novices to more established cybercriminals and groups. Although possible, use by nation-state-aligned actors remains uncorroborated at the time of this report.

Attack chain

The Tycoon 2FA attack chain began with the delivery of an initial lure. An attacker would send a phishing email to the target, with themes including payment confirmation, voicemail notification or court order. These emails included a malicious link or a PDF attachment containing a QR code that when clicked or scanned redirected victims to a malicious URL. Before being shown a fake login page, the website prompted the victim to complete a CAPTCHA or Cloudflare Turnstile challenge to ensure only users of interest — namely real victims and not automated bots — proceeded.

We specifically observed that the embedded Cloudflare Turnstile challenge used different phrases across instances. Examples included: “Browser safety check running,” “Browser scanning for protection,” “Browser security check running,” “Confirming browser safety online,” “Guaranteeing connection safety verification,” “Verifying browsing safety measures” or “Verifying secure online experience.”

Figure x: The image depicts a screenshot of a Tycoon 2FA Cloudflare Turnstile challenge.

After passing the challenge, the victim was presented with a fake authentication page, often mimicking services such as Adobe, Docusign, GoDaddy, Microsoft 365, Microsoft Excel, Microsoft OneDrive, Microsoft Outlook, Microsoft Sharepoint, Microsoft Word and Outlook Web Access. The page was dynamically loaded, meaning it was automatically tailored to match the target organization's official logo, fonts and colors based on the victim's email address. This resulted in a pixel-perfect replica of the target company’s specific login portal. These webpages also leveraged obfuscation, antidebugging and anticopy mechanisms to prevent analysis and detection.

Figure x: The images depict screenshots of the Tycoon “Sharepoint Web App” template (top) and Tycoon “Docusign” template (bottom).

The phishing page then requested login credentials as well as 2FA codes, sometimes prompting the victim to approve fraudulent authentication requests via services such as Microsoft Authenticator or through phone call-based 2FA. The page could then cycle through multiple “sections” or steps, including “Sign in,” “Enter password,” “Verify your identity,” “Approve sign in request” and “Enter code” to extract as much information as possible.

Data the victim entered was validated using regular expressions and then encrypted using the advanced encryption standard (AES) algorithm before being sent to the attacker’s command-and-control (C2) server. The back-end infrastructure typically was hidden behind services like Cloudflare and domains often were registered with privacy protection to evade detection. When a victim entered their 2FA code, Tycoon 2FA harvested the resulting session cookie, which allowed the threat actor to access the account before a victim realized anything malicious occurred.

If the phishing attempt was successful, the victim may be redirected to a legitimate Microsoft login page or shown a fake error message to avoid suspicion. The attacker was then free to use the harvested credentials and/or session cookie for further malicious activity.

Recent developments: hybrid phishing kits

In December 2025, the malware analysis service ANY.RUN reportedly observed malware samples showing traits from two different phishing kits at once. After a sudden drop in activity from the Salty 2FA PhaaS in October 2025, the appearance of Tycoon 2FA indicators inside Salty-linked chains was observed, and eventually single payloads carrying code from both frameworks were seen. Further code-level analysis confirmed early stages matched Salty 2FA, while later stages reproduced Tycoon 2FA’s execution chain almost line-for-line.

In January 2026, reports were published regarding a credential-harvesting campaign attributed to Tycoon 2FA that repeatedly abused newly registered “.contractors” domains to deliver Gmail, Microsoft 365 and Outlook phishing pages. During the investigation, additional distinct domains were identified with the same Microsoft 365 or Outlook Tycoon 2FA lure, indicating broader infrastructure reuse beyond the initially observed “.contractors” clusters. In February 2026, ANY.RUN reported new URL patterns tied to Tycoon 2FA campaigns, along with a spike in phishing domains in less common top-level domains (TLDs).

Impact: Tycoon challenges traditional defenses

As an “as-a-service” platform, it was more difficult to determine who was behind specific attacks using Tycoon 2FA. Considering many groups and individuals likely were renting and using the same phishing kit, a single piece of infrastructure or phishing page could be shared across unrelated campaigns. As a result, traditional indicators such as URLs, domains and simple content signatures became less useful as Tycoon 2FA operators rotated infrastructure frequently and leveraged evasive techniques, further blurring attribution.

Compounding this dilemma were observations that threat actors were leveraging hybrid phishing kits that displayed characteristics of Tycoon 2FA and other kits. This mix-and-match approach of blending infrastructures, payloads and TTPs across frameworks marked a notable shift that weakened kit-specific rules, complicated identification and gave threat actors more room to slip past early detection. Overall, Tycoon 2FA highlights how PhaaS offerings quickly can turn basic cybercrime into serious large-scale account takeover, leaving organizations exposed if they rely only on traditional defense mechanisms.

Assessment, outlook

The coordinated takedown of Tycoon 2FA infrastructure is laudable. Phishing platforms operate internationally, depend on distributed infrastructure and support thousands of criminal customers. Disruption at this scale through cross-industry cooperation between law enforcement and private entities displays the significance of how shared intelligence can have real impact on underground services. Intel 471 is proud to have contributed to this collaboration and helped prevent harm caused to victims worldwide. The seizure of C2 domains likely will provide law enforcement agencies with excellent leads for affiliate investigations possibly leading to arrests.

Looking ahead, organizations should adopt and implement security protocols under the assumption that AITM phishing operations will persist regardless of the degradation of Tycoon 2FA. This includes prioritizing controls that focus on attacker behavior, identity signals and session anomalies as opposed to mitigation of a specific single service or phishing kit.

Recommendations

The following recommendations aim to reduce phishing attempts and limit operational impact:

• Enforce phishing-resistant MFA: Transition to hardware-backed security keys (e.g., YubiKey), certificate-based authentication or passkeys.
• Strengthen session and device controls: Use Microsoft Entra Conditional Access to mandate managed device compliance and disable legacy authentication. Actively monitor for post-authentication anomalies, including impossible travel and unauthorized session hijacking.
• Harden email and web gateways: Deploy security layers to detect AITM signatures and block known PhaaS infrastructure via domain name system (DNS)/URL filtering.
• Ensure user awareness: Train employees to recognize unsolicited login requests and promote the use of official websites and apps over email-delivered links.
• Proactive detection and response: Flag unauthorized mail routing rules and suspicious account-level permissions. Use Microsoft Defender for Cloud Apps to detect session cookie theft.