Tycoon2FA
Tycoon2FA is a phishing-as-a-service (PhaaS) adversary-in-the-middle (AiTM) phishing kit that emerged in August 2023 and became one of the most widespread MFA-bypass platforms. Microsoft tracks the developer/operator as Storm-1747. The platform has been used at global scale against more than 500,000 organizations across sectors including education, healthcare, finance, non-profit, and government, with campaigns focused heavily on Microsoft 365 and also impersonating services such as OneDrive, Outlook, SharePoint, Gmail, and Google. Prior to a Europol-linked disruption in March 2026, it was described as the most prolific AiTM platform on the market and responsible for roughly 62% of AiTM phishing attempts Microsoft was blocking monthly.
Tycoon2FA captures user credentials and steals authenticated session cookies/tokens by proxying the real login flow, allowing attackers to bypass common MFA methods including SMS codes, one-time passcodes, and push notifications. Reported post-compromise access can persist after password resets unless active sessions and tokens are explicitly revoked. The kit has also resurfaced with support for Microsoft 365 device-code phishing, abusing the OAuth 2.0 device authorization grant flow to trick victims into entering attacker-supplied codes on Microsoft’s legitimate device login page, resulting in OAuth tokens being issued to the attacker’s rogue device.
Observed delivery commonly uses phishing emails with attachments such as .svg, .pdf, .html, or .docx, often embedding QR codes or JavaScript. One reported device-code phishing chain began with a lure email containing a Trustifi click-tracking URL, followed by multiple redirection and obfuscation layers and a fake Microsoft CAPTCHA page before prompting for the device code. Tycoon2FA infrastructure has also been hosted through trusted cloud services and redirect chains involving Azure Blob Storage, Google Firebase, AWS, Wix, TikTok, Google resources, and Cloudflare Workers, with most hosting observed behind Cloudflare.
The kit includes substantial defense evasion and anti-analysis features, including anti-bot screening, browser fingerprinting, heavy obfuscation, custom JavaScript, dynamic decoy pages, self-hosted or rotating CAPTCHA challenges, blocking of copy/paste and right-click, detection of tools such as PhantomJS and Burp Suite, disabling developer-tool shortcuts, and protections intended to block researchers, security vendors, and automated scanners. Infrastructure evolved toward short-lived, rapidly rotating campaign domains and subdomains, often using low-friction TLDs and readable subdomain naming to reduce suspicion and frustrate blocklisting.
Tycoon2FA is sold via criminal channels including Telegram and Signal and provides a web-based administration panel for configuring campaigns, templates, lure attachments, redirect logic, domain and hosting settings, victim tracking, and viewing/downloading captured credentials and session cookies. The panel can generate EML files, PDFs, and QR codes, and stolen data may be forwarded to Telegram for near-real-time monitoring. Exfiltration of captured credentials and session tokens has been reported over encrypted channels, often via Telegram bots.
Researchers also reported hybrid payloads blending Salty2FA and Tycoon2FA, where early stages matched Salty2FA and later stages reproduced Tycoon2FA’s execution chain nearly line-for-line, complicating attribution and weakening kit-specific detections. Reported indicators and traits include Tycoon2FA-specific DOM structure and CDN patterns, DGA-generated domains tied to fast-flux-style infrastructure, Cloudflare Workers domains such as 1otyu7944x8[.]workers[.]dev and xm65lwf0pr2e[.]workers[.]dev, and the Cloudflare Pages domain lapointelegal-portail[.]pages[.]dev.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
Following its emergence in August 2023, Tycoon2FA rapidly became one of the most widespread phishing-as-a-service (PhaaS) platforms... provided adversary-in-the-middle (AiTM) capabilities that allowed even less skilled threat actors to bypass multifactor authentication (MFA)... by intercepting session cookies generated during the authentication process, simultaneously capturing user credentials.
Techniques & procedures
22 distinct techniques documented for this family, organized by ATT&CK tactic.
Reconnaissance
1 technique
Reconnaissance
Initial Access
5 techniques
Initial Access
Once the CAPTCHA had been successfully completed, the user would then be shown a fake sign-in page used to compromise their account credentials... users were presented with a CAPTCHA challenge before being directed to a fraudulent sign-in page designed to harvest account credentials.
Post-disruption campaigns also used URL shortener services, links inside legitimate presentation platforms, and compromised SharePoint environments from trusted contacts to redirect targets toward Tycoon2FA infrastructure.
Kali365 has emerged as one of the more prominent examples of a device code phishing kit in recent months. Device code phishing abuses the authentication workflow used by smart TVs, printers, and other devices when they lack a full browser or keyboard and require users to log in via a separate device.
Attackers sent emails carrying SVG file attachments with names crafted to match the email theme, such as fake invoice notices, payment alerts, 401K update reminders, and voice message notifications.
Overall, 78% of email threats were link-based... This shift toward link-based delivery, combined with the payload trends, suggests that threat actors increasingly preferred hosted credential phishing infrastructure over locally-rendered payloads as the quarter progressed.
Execution
1 technique
Execution
Threat actors use CAPTCHA pages to delay detection and increase user interaction... By forcing users to engage with the CAPTCHA before accessing the payload, threat actors reduce the likelihood of automated scanning tools identifying the threat and increase the chances of successful credential harvesting or malware delivery.
Persistence
2 techniques
Persistence
Once the CAPTCHA had been successfully completed, the user would then be shown a fake sign-in page used to compromise their account credentials... users were presented with a CAPTCHA challenge before being directed to a fraudulent sign-in page designed to harvest account credentials.
Privilege Escalation
1 technique
Privilege Escalation
Once the CAPTCHA had been successfully completed, the user would then be shown a fake sign-in page used to compromise their account credentials... users were presented with a CAPTCHA challenge before being directed to a fraudulent sign-in page designed to harvest account credentials.
Stealth
4 techniques
Stealth
The attack chain involves a lure email with a Trustifi click-tracking URL, which redirects through multiple layers of obfuscation before presenting a fake Microsoft CAPTCHA page. The kit incorporates robust anti-analysis measures, blocking researchers, security vendors, and automated scanning tools.
The group behind the PhaaS platform... sells phishing kits that impersonate various enterprise application sign-in pages... Once the CAPTCHA had been successfully completed, the user would then be shown a fake sign-in page used to compromise their account credentials.
Once the CAPTCHA had been successfully completed, the user would then be shown a fake sign-in page used to compromise their account credentials... users were presented with a CAPTCHA challenge before being directed to a fraudulent sign-in page designed to harvest account credentials.
“anti-bot screening, browser fingerprinting… actively checking for analysis environments or browser automation… Detecting or blocking automated inspection… (for example, PhantomJS, Burp Suite) … If analysis was suspected… redirected to a legitimate decoy site or threw a 404 error.”
Defense Impairment
1 technique
Defense Impairment
Credential Access
6 techniques
Credential Access
Once the user completed the fake check, they were redirected to a spoofed sign-in page designed to steal their account credentials.
Tycoon2FA has rapidly become one of the most widespread PhaaS platforms, leveraging adversary-in-the-middle (AiTM) techniques to attempt to defeat non-phishing-resistant multifactor authentication (MFA) defenses.
“Attackers could then access sensitive data and establish persistence by… registering new authenticator apps…”
Tycoon2FA has rapidly become one of the most widespread PhaaS platforms, leveraging adversary-in-the-middle (AiTM) techniques to attempt to defeat non-phishing-resistant multifactor authentication (MFA) defenses.
Discovery
1 technique
Discovery
“anti-bot screening, browser fingerprinting… actively checking for analysis environments or browser automation… Detecting or blocking automated inspection… (for example, PhantomJS, Burp Suite) … If analysis was suspected… redirected to a legitimate decoy site or threw a 404 error.”
Lateral Movement
1 technique
Lateral Movement
Collection
3 techniques
Collection
Once the user completed the fake check, they were redirected to a spoofed sign-in page designed to steal their account credentials.
Command and Control
1 technique
Command and Control
Exfiltration
1 technique
Exfiltration
Impact
1 technique
Impact
Other
1 technique
Other
“Validating and filtering incoming traffic… Suspicious user agent profiling… When the campaign infrastructure encountered an unexpected or invalid server response (for example, a geolocation outside the allowed targeting zone), the kit replaced phishing content with a decoy page…”
IOCs tracked for this family
4 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
Recent activity
12 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A prolific adversary-in-the-middle phishing platform used to steal authenticated sessions and bypass normal MFA protections.
Tycoon2FA is a phishing kit used to compromise Microsoft 365 accounts by abusing OAuth 2.0 device authorization grant flows. It tricks victims into entering a device code on Microsoft's legitimate login page, resulting in OAuth tokens being issued to the attacker. The kit also uses layered obfuscation and anti-analysis measures to evade researchers, security vendors, and automated scanning tools.
AiTM phishing kit/PhaaS platform used to impersonate Microsoft 365/Outlook/OneDrive/SharePoint/Gmail sign-in flows, relay credentials and MFA challenges to the legitimate service, and steal session cookies/tokens to enable account takeover and persistence even after password resets (unless sessions/tokens are revoked). Includes extensive evasion (custom CAPTCHAs, fingerprinting, obfuscation, redirect chains) and campaign management via a web admin panel; exfiltration commonly via Telegram bots.
Adversary-in-the-middle phishing kit hosted on major cloud platforms to capture enterprise credentials while abusing trusted domains for evasion.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.