Tycoon 2FA Takedown: How AiTM Phishing Bypasses MFA at Scale — and What Actually Stops It

What Happened

On March 4–5, 2026, a coordinated public-private operation led by Europol seized 330 domains forming the backbone of Tycoon 2FA — a phishing-as-a-service platform that had been operating since August 2023. The operation involved Europol, Microsoft, Coinbase, Intel471, Cloudflare, Proofpoint, SpyCloud, and Trend Micro.

The alleged primary developer — Saad Fridi, based in Pakistan — has been arrested. Europol described Tycoon 2FA as "one of the largest phishing operations worldwide."

Microsoft, which tracks the operators under the designation Storm-1747, confirmed that the platform was the most prolific AiTM phishing operation it observed in 2025, blocking over 13 million malicious emails linked to the service in October 2025 alone. At peak, Tycoon 2FA accounted for approximately 62% of all AiTM phishing attempts blocked by Microsoft — and in a single month generated over 30 million phishing emails.

Intel471 linked the kit to over 64,000 phishing incidents and confirmed 96,000 distinct victims globally since 2023. More than 55,000 of those were Microsoft customers. Europol noted the platform's reach extended to schools, hospitals, and public institutions across multiple countries.

The service was sold via Telegram and Signal. Pricing was $120 for 10 days of access, or $350 per month for access to a full web-based administration panel. Approximately 2,000 paying operator subscribers were running campaigns at the service's peak.

How AiTM Phishing Works — and Why It Bypasses TOTP and SMS MFA

This is the part that matters for defenders. Tycoon 2FA didn't break MFA cryptographically. It proxied the authentication session in real time.

Adversary-in-the-Middle (AiTM) phishing works like this:

1. The victim receives a convincing phishing email impersonating Microsoft 365, Gmail, SharePoint, or OneDrive
2. Clicking the link takes them to a Tycoon 2FA phishing page that acts as a reverse proxy to the legitimate service
3. The victim enters their username and password — the proxy passes this to the real service and receives a real authentication challenge
4. The victim receives their legitimate MFA prompt (SMS code, TOTP from an authenticator app) and enters it on what they think is the real sign-in page
5. The proxy captures the MFA code and forwards it to the real service in real time, completing the authentication
6. The attacker captures the resulting session cookie — and at this point the MFA code is irrelevant. The session is already authenticated.

This is why SMS one-time codes and TOTP authenticator apps (Google Authenticator, Authy, Microsoft Authenticator) don't protect against AiTM attacks. By the time the code is used, the attacker already has the session. Even if you rotate your password immediately after, the session cookie remains valid until explicitly revoked or expired.

Tycoon 2FA's panel allowed operators to download captured credentials, MFA codes, and session cookies directly, or forward them to a Telegram channel for near-real-time monitoring. A victim's Microsoft 365 account could be accessed within seconds of the phishing interaction completing.

The Evasion Stack That Made Tycoon 2FA Hard to Take Down

What made Tycoon 2FA particularly resilient wasn't just the scale — it was the deliberate anti-detection engineering baked into the platform. Operators weren't just running a phishing page; they were running a sophisticated evasion infrastructure.

• Short-lived domains: Phishing pages used FQDNs with a 24–72 hour lifespan, rotating before threat intelligence feeds could ingest and propagate blocklists
• Cloudflare abuse: Domains were hosted behind Cloudflare — using the CDN's reputation to bypass email security and proxy detection, and using Cloudflare Workers to add a layer of serverless code execution that complicated takedown requests
• Browser fingerprinting: The phishing page fingerprinted the visitor before serving malicious content — checking for headless browsers, security scanners, and known research IP ranges
• Anti-bot screening: Self-hosted CAPTCHA challenges filtered automated crawlers
• Keystroke monitoring: Captured typing cadence and behaviour to distinguish real victims from security tools
• Heavy obfuscation: Custom JavaScript made static analysis of the phishing kit difficult
• Redirect logic: Multi-hop redirect chains made link tracing time-consuming

The combination of short-lived infrastructure and legitimate CDN hosting meant that blocklist-based defences consistently lagged behind deployments. By the time a domain was flagged and propagated to endpoint security products, it was already rotating.

What the Platform Offered Operators

Tycoon 2FA was genuinely a business — not just a tool. The admin panel was described as a configurable campaign management system with:

• Pre-built phishing templates for Microsoft 365, OneDrive, SharePoint, and Gmail
• Attachment configuration (lure formats: fake invoices, shared documents, security alerts)
• Domain and hosting configuration
• Redirect logic per campaign
• Real-time victim tracking — valid vs. invalid sign-in attempts
• Credential, MFA code, and session cookie exfiltration to Telegram or direct panel download

For $350/month, a subscriber with zero technical skill could run a professional-grade MFA-bypass phishing campaign against any Microsoft 365 organisation. That's the business model of PhaaS: make sophisticated attacks accessible to the long tail of low-skill cybercriminals.

What Actually Stops AiTM Attacks

Given that SMS OTP and TOTP are vulnerable to AiTM by design, the question for defenders is: what authentication mechanism is actually phishing-resistant?

The answer is FIDO2 passkeys and hardware security keys. Here's why:

FIDO2 authentication is cryptographically bound to the origin of the authentication request. When you sign in using a YubiKey 5C NFC or similar hardware key, the cryptographic assertion includes the exact domain you're authenticating to. A phishing proxy operating at m1crosoft-signin.cloudflare-workers.app can't replay the assertion to login.microsoftonline.com — the origins don't match, and the authentication fails.

This is the fundamental security property that makes FIDO2 keys the only MFA mechanism that is truly phishing-resistant. The YubiKey 5 series — whether the 5C NFC (USB-C) for modern laptops or the YubiKey 5 NFC (USB-A) for legacy hardware — supports FIDO2, U2F, PIV, OTP, and OATH. All major identity providers including Microsoft Entra ID, Google Workspace, and Okta support FIDO2 hardware keys.

Conditional Access policies in Microsoft Entra can be configured to require phishing-resistant MFA (FIDO2 or certificate-based auth) for all sign-ins. If your organisation is still accepting TOTP or SMS as valid MFA factors for cloud access, you're relying on a mechanism that Tycoon 2FA — and every AiTM service that follows — is explicitly designed to bypass.

Practical hardening checklist:

• Enable Microsoft Entra's Authentication Strengths policy and create a "Phishing-Resistant MFA" strength requiring FIDO2 or certificate-based auth
• Audit token lifetimes — shorten session cookie validity for high-privilege accounts
• Enable Continuous Access Evaluation to allow near-real-time session revocation
• Deploy Microsoft Defender for Office 365 safe links with real-time URL detonation (note: short-lived domains reduce effectiveness, but it catches a proportion)
• Configure Conditional Access to block legacy authentication protocols entirely — they can't support modern MFA at all
• Enable sign-in risk and user risk policies in Microsoft Entra ID Protection — session cookie replay from an unusual location can trigger revocation
• Educate users: the presence of a CAPTCHA or a convincing Microsoft sign-in page does not mean the site is legitimate

Why This Takedown Is Significant — and Why It Won't Be the Last

The Tycoon 2FA operation is the largest PhaaS takedown of 2026 so far. The coalition assembled — law enforcement (Europol), the primary targeted platform (Microsoft), the CDN being abused (Cloudflare), a financial intelligence firm (Coinbase), and four specialised security vendors — reflects the kind of coordinated public-private response that's increasingly necessary for dismantling infrastructure at this scale.

330 domains is a significant disruption. The arrest of the alleged primary developer disrupts the development pipeline. But the criminal market for AiTM capabilities doesn't disappear with one service. Competitors — EvilProxy, Modlishka, Evilginx — have been operating for years. New services targeting the same gap will emerge. The PhaaS model works because there's sustained demand from low-skill actors who want to bypass MFA without understanding the underlying cryptography.

The Proofpoint data point is the one worth sitting with: at peak, Tycoon 2FA accounted for 62% of all AiTM phishing attempts they observed. That's not a marginal product — that was the market. A successful operation removes that market leader, but the market remains.

The defensive posture that survives this cycle isn't "block this specific service" — it's "implement authentication that is structurally resistant to AiTM, regardless of which service is running the proxy." That means FIDO2. Everything else is playing whack-a-mole.

For Security Professionals: Hunting for Post-Compromise AiTM Activity

If you're a defender wondering whether your organisation was hit before this takedown, the key indicator class is session cookie replay from unusual locations or impossible travel. Tycoon 2FA captured sessions in real time — defenders should look for:

• Successful sign-ins from IP addresses inconsistent with the user's typical geography, immediately following a legitimate authentication from their known location
• Sign-in events with no corresponding MFA event in the audit log (indicating the session was replayed, not freshly authenticated)
• Anomalous token issuance for refresh tokens — especially long-lived refresh tokens issued post-initial-auth
• Email forwarding rule additions or inbox rule changes within minutes of an unusual sign-in (a common post-compromise step for business email compromise)
• OAuth application consent grants from unfamiliar applications shortly after initial access

Microsoft's Entra ID sign-in logs with the risky sign-in classification will surface many of these automatically, but manual review of the specific Tycoon 2FA victim window (August 2023 through March 5, 2026) is warranted for any organisation in the 55,000+ Microsoft customer victim set.

The Web Application Hacker's Handbook remains an essential reference for understanding web session management, token security, and the authentication attack surface that AiTM exploits at the application layer.