Tycoon 2FA

Tycoon 2FA is a phishing-as-a-service (PhaaS) platform and cybercriminal operation focused on large-scale credential harvesting and account compromise, primarily against Microsoft 365 and also Gmail. It is described as one of the largest, most active, and most prolific PhaaS platforms, and Microsoft associates it with Storm-1747. The platform emerged publicly in 2023 as a phishing kit and evolved in early 2024 into an adversary-in-the-middle (AiTM) phishing service designed to bypass multifactor authentication by relaying logins and stealing session cookies in real time. The operation has targeted organizations globally, including education, healthcare, finance, life sciences, professional services, technology, and the public sector. Reported lures include voicemail notifications, payment confirmations, court orders, and code-of-conduct themed messages. Tycoon 2FA campaigns use malicious links, PDF attachments, and QR codes, and commonly employ CAPTCHA or Cloudflare Turnstile gating, dynamically branded fake login pages, obfuscated scripts, anti-debugging and anti-analysis logic, anti-copy protections, and encrypted exfiltration of victim data to backend infrastructure. The kit validates entered data with regular expressions and encrypts it with AES before sending it to command-and-control infrastructure. Researchers also reported use of short-lived subdomains, privacy-protected registrations, and infrastructure hidden behind Cloudflare, followed later by shifts to alternative hosting and domain registration patterns after disruption. Recent reporting states that Tycoon 2FA operators added OAuth 2.0 Device Authorization Grant abuse, also described as device code phishing, to obtain Microsoft 365 access tokens without directly stealing passwords. In these campaigns, victims are lured through layered redirects, including Trustifi click-tracking links, fake Microsoft CAPTCHA pages, encrypted payload delivery, and filtering logic such as large vendor blocklists and IP intelligence checks. Victims are then instructed to enter a code at the legitimate Microsoft device login flow on microsoft.com/devicelogin. The victim completes MFA on genuine Microsoft infrastructure, but the approval grants tokens to an attacker-controlled device. eSentire explicitly stated this technique does not exploit a software vulnerability and does not bypass MFA directly; it changes what the MFA approval authorizes through social engineering. Post-compromise activity tied to Tycoon 2FA has included use of Node.js automation and unusual user-agent strings such as "node" and "undici." Other observed Tycoon 2FA tradecraft includes use of OfficeHome and Microsoft Authentication Broker application IDs in phishing flows, continued reuse of the same AES-CBC key and IV, anti-analysis checks, domain validation logic, and backend route patterns across campaigns. After takedown activity, operators were observed shifting infrastructure, including use of Alibaba Cloud and ProxyLine-backed proxy infrastructure, while maintaining the same core kit. Tycoon 2FA was marketed as a subscription service, reportedly through Telegram channels operated by alleged developers associated with "Saad Tycoon Group" and "Mr_XaaD." It was sold as a 2FA-bypass phishing platform and widely used by independent affiliates. The content also notes that Tycoon 2FA affiliates may have altered the code, and that Tycoon-linked tools, code artifacts, and techniques have been redistributed across cloned deployments and competing kits including Mamba 2FA, EvilProxy, Sneaky 2FA, Whisper 2FA, and device-code phishing activity. A coordinated disruption operation led by Microsoft and Europol in March 2026 seized 330 domains forming Tycoon 2FA's core infrastructure, including phishing pages and control panels, with support from multiple industry partners. Despite this, reporting indicates the operators preserved the core codebase, resumed operations quickly, and remained active after the takedown, albeit at reduced volume. The content consistently characterizes Tycoon 2FA as a major cybercriminal PhaaS ecosystem rather than a nation-state actor.