Full Report
The Tycoon2FA phishing-as-a-service (PhaaS) platform that Europol and partners disrupted on March 4 has already returned to previously observed activity levels. [...]
Analysis Summary
# Tool/Technique: Tycoon2FA
## Overview
Tycoon2FA is a prominent Phishing-as-a-Service (PhaaS) platform designed to harvest credentials and bypass Multi-Factor Authentication (MFA) for Microsoft 365 and Gmail accounts. It utilizes Adversary-in-the-Middle (AiTM) mechanisms to intercept authentication tokens in real-time. Despite a major international law enforcement disruption in March 2026, the platform successfully revitalized its infrastructure within days, maintaining its status as a high-volume threat.
## Technical Details
- **Type:** Phishing-as-a-Service (PhaaS) / Adversary-in-the-Middle (AiTM) Tool
- **Platform:** Web-based (Targeting Microsoft 365 and Gmail/Google Workspace users)
- **Capabilities:** MFA bypass, session token theft, automated redirection, AI-generated lures.
- **First Seen:** Approximately early 2024 (documented by Sekoia).
## MITRE ATT&CK Mapping
- **[TA0001 - Initial Access]**
- [T1566.002 - Phishing: Spearphishing Link]
- **[TA0006 - Credential Access]**
- [T1557 - Adversary-in-the-Middle]
- [T1111 - Two-Factor Authentication Evasion]
- **[TA0003 - Persistence]**
- [T1098.005 - Account Manipulation: Device Registration]
- **[TA0007 - Discovery]**
- [T1114.002 - Email Collection: Remote Email Services]
## Functionality
### Core Capabilities
- **AiTM Proxying:** Acts as a transparent proxy between the victim and the legitimate service (Microsoft/Google), capturing credentials and session cookies in real-time.
- **2FA/MFA Evasion:** Intercepts the second-factor challenge, allowing attackers to bypass protections like SMS codes or authenticator apps.
- **High Volume Distribution:** Capable of generating up to 30 million phishing emails per month.
- **Infrastructure Redundancy:** Utilizes a vast network of control panels and over 300 hijacked or registered domains to ensure operational continuity.
### Advanced Features
- **AI-Generated Decoys:** Uses artificial intelligence to create highly convincing and dynamic decoy web pages to deceive users.
- **Evasion Techniques:** Employs URL shortener services and abuses legitimate presentation tools/cloud platforms to redirect users and bypass email filters.
- **Post-Compromise Automation:** Facilities the creation of inbox rules and hidden folders to conceal fraudulent activity from the victim.
## Indicators of Compromise
- **File Hashes:** Typically delivery-based; specific hashes vary by campaign.
- **File Names:** N/A (Web-based/URL-driven).
- **Network Indicators:**
- `tycoon-cdn[.]com` (Example of common naming convention)
- `microsoft-office-update[.]com` (Defanged example)
- Use of `330+` seized domains (e.g., decentralized phishing nodes).
- **Behavioral Indicators:**
- Creation of "Hidden" folders in Outlook/M365 accounts.
- Automated creation of "Move to folder" or "Delete" inbox rules shortly after login.
- Unrecognized device registrations in Azure AD/Entra ID.
## Associated Threat Actors
- **The Tycoon Group** (Operators)
- **Various PhaaS Subscribers** (Used by diverse groups for BEC, thread hijacking, and cloud account takeovers).
## Detection Methods
- **Behavioral Detection:** Monitor for "impossible travel" logins and suspicious changes to mailbox rules (e.g., rules that delete messages containing keywords like "invoice," "wire," or "payment").
- **Network Telemetry:** Identifying traffic to known phishing-as-a-service backend infrastructure or newly registered domains with high entropy.
- **Heuristic Analysis:** Detecting AI-generated structures in landing pages and monitoring for redirection chains involving URL shorteners and presentation software URLs.
## Mitigation Strategies
- **Enforce FIDO2/WebAuthn:** Use hardware security keys (like YubiKeys) which are resistant to AiTM phishing, unlike SMS or TOTP codes.
- **Conditional Access Policies:** Restrict logins to compliant, managed, or hybrid-joined devices.
- **User Education:** Train employees to identify URL redirection and to verify the origin of requested authentication prompts.
- **Tenant Hardening:** Block "auto-forwarding" rules in Exchange Online to prevent data exfiltration.
## Related Tools/Techniques
- **Evilginx2 / Evilginx3:** Open-source frameworks that pioneered the current AiTM phishing methodology.
- **Greatness PhaaS:** A similar service targeting M365 environments.
- **LabHost:** Another disrupted PhaaS platform with similar bypass capabilities.