Full Report
Microsoft, which led the effort, said it seized 330 domains that powered the phishing platform’s core infrastructure. The alleged creator was also named in a civil complaint.
Analysis Summary
# Incident Report: Dismantlement of Tycoon 2FA Phishing Platform
## Executive Summary
A global coalition led by Microsoft and Europol dismantled the "Tycoon 2FA" phishing-as-a-service (PhaaS) platform, seizing 330 infrastructure domains. The platform enabled low-skilled cybercriminals to bypass multifactor authentication (MFA) via adversary-in-the-middle (AiTM) techniques, targeting over 500,000 organizations monthly. The operation included a civil complaint naming the alleged creator, Saad Fridi, and effectively disrupted the source of 62% of phishing attempts blocked by Microsoft in mid-2025.
## Incident Details
- **Discovery Date:** August 2023 (Initial emergence)
- **Incident Date:** Takedown executed March 4, 2026
- **Affected Organizations:** 500,000+ organizations monthly; 96,000 distinct victims
- **Sector:** Critical Infrastructure, specifically Education and Healthcare
- **Geography:** Global (Infrastructure seized across Latvia, Lithuania, Portugal, Poland, Spain, and the UK)
## Timeline of Events
### Initial Access
- **Date/Time:** August 2023
- **Vector:** Phishing via email, Telegram, and Signal.
- **Details:** Attackers distributed phishing links through approximately 30 million emails per month at the peak of operations.
### Lateral Movement
- **Details:** As an AiTM platform, Tycoon 2FA facilitated session cookie theft, allowing attackers to bypass MFA and move laterally into Microsoft 365, Outlook, SharePoint, OneDrive, and Google services.
### Data Exfiltration/Impact
- **Details:** Compromise of corporate credentials and session tokens; disruption of patient care in hospitals and operations in schools and universities.
### Detection & Response
- **Discovery:** Identified by Microsoft Threat Intelligence and Proofpoint as the primary driver of MFA-bypass phishing.
- **Response Actions:** A US District Court order allowed Microsoft and partners to seize 330 domains and take ownership of the technical infrastructure. A $10 million civil injunction was filed against the operators.
## Attack Methodology
- **Initial Access:** Adversary-in-the-Middle (AiTM) phishing lures.
- **Persistence:** Theft of session tokens to bypass the need for repeated logins/MFA.
- **Defense Evasion:** Use of redirect logic and fraudulent login pages that mimicked legitimate services to deceive users.
- **Credential Access:** Proxying authentication traffic between the victim and the legitimate service to harvest credentials and MFA codes in real-time.
- **Impact:** Operational disruption and resource diversion in the healthcare and education sectors.
## Impact Assessment
- **Financial:** $10 million injunction sought; significant resource diversion for victims.
- **Data Breach:** Compromise of internal documents (SharePoint/OneDrive) and communications (Email).
- **Operational:** Delayed patient care in hospitals; business disruption in educational institutions.
- **Reputational:** Significant harm to the Tycoon 2FA brand and its "customer" trust following the seizure of control panels.
## Indicators of Compromise
- **Network indicators:** 330 seized domains (e.g., fraudulent login portals, control panels - specifics defanged in court filings).
- **Behavioral indicators:** High volume of AiTM traffic targeting Microsoft 365/Google Workspace; session token theft attempts from unusual geolocations.
## Response Actions
- **Containment:** Domain seizure to sever communication between phishing kits and their control infrastructure.
- **Eradication:** Dismantling of the core back-end infrastructure (Storm-1747).
- **Recovery:** Public-private intelligence sharing via Health-ISAC and Europol to assist victims in securing compromised accounts.
## Lessons Learned
- **MFA is not foolproof:** Traditional MFA is vulnerable to AiTM attacks; phishing kits are becoming highly democratized through "as-a-service" models.
- **Public-Private Partnership:** Successful disruption requires high-level cooperation between tech giants, security firms (Proofpoint, Trend Micro, etc.), and international law enforcement.
- **Legal Recourse:** Civil litigation and TROs (Temporary Restraints Orders) are effective tools for seizing digital infrastructure.
## Recommendations
- **Adopt FIDO2/WebAuthn:** Move toward phishing-resistant MFA (hardware keys) to mitigate AiTM risks.
- **Email Security:** Implement advanced threat protection that can detect the redirect logic used by phishing kits like Tycoon 2FA.
- **Token Revocation:** Establish protocols for rapid session token revocation upon detection of suspicious login behavior.