Tycoon2FA Phishing Campaign Targets Cloud Accounts After Brief Hiatus
Key Takeaways The Tycoon2FA phishing-as-a-service (PhaaS) platform has rapidly re-established its operations targeting cloud accounts, despite a multi-national law enforcement takedown on March 4,...
Key Takeaways
- The Tycoon2FA phishing-as-a-service (PhaaS) platform has rapidly re-established its operations targeting cloud accounts, despite a multi-national law enforcement takedown on March 4, 2026.
- The campaign primarily targets Microsoft 365 and Google cloud users, employing sophisticated adversary-in-the-middle (AITM) techniques to bypass multi-factor authentication (MFA).
- The quick resurgence and unchanged tactics highlight the limitations of infrastructure-only disruptions without arrests or physical asset seizures.
- Organizations must implement robust security measures beyond MFA, including enhanced monitoring for suspicious login patterns and continuous employee training.
Tycoon2FA Operators Swiftly Resume Cloud Account Phishing After Infrastructure Disruption
Cybercriminals leveraging the Tycoon2FA phishing-as-a-service (PhaaS) platform have quickly reactivated their malicious operations, once again targeting cloud accounts with nearly full intensity. This rapid resurgence follows a coordinated law enforcement effort on March 4, 2026, which aimed to dismantle the platform’s infrastructure, according to a recent report.
Table Of Content
Europol, in collaboration with authorities from six different nations, successfully seized 330 domains that formed the core infrastructure of the Tycoon2FA platform. This operation represented a significant attempt to disrupt a subscription-based crimeware service. However, the effectiveness of this takedown proved short-lived, as operators began rebuilding their infrastructure on the very same day the disruption was announced, underscoring the resilience of this persistent threat.
Evolution and Impact of Tycoon2FA
Tycoon2FA first emerged in 2023 as a subscription-based toolkit, specifically designed to enable cybercriminals to circumvent multi-factor authentication (MFA) protocols. The platform operates by employing adversary-in-the-middle (AITM) techniques, positioning itself between a victim and a legitimate login portal to intercept live authentication sessions in real time.
By mid-2025, Tycoon2FA had escalated to become a dominant force within the phishing landscape. Microsoft reported that the platform was responsible for 62% of all phishing attempts it blocked, and estimates indicated that Tycoon2FA campaigns were responsible for dispatching over 30 million malicious emails in a single month.
Limited Impact of Law Enforcement Action
Analysts at CrowdStrike observed a brief but pronounced decrease in Tycoon2FA campaign activity immediately after the March 4 takedown. Daily phishing volumes plummeted to just 25% of their pre-disruption levels on March 4 and March 5, 2026. However, this temporary decline did not last. Within a few days, activity rebounded to levels consistent with those seen in early 2026, and cloud account compromises resumed at full speed.
Crucially, the platform’s tactics, techniques, and procedures (TTPs) showed no significant alterations following the disruption. This suggests that the core service itself was likely never fully incapacitated. The March 4 operation was spearheaded by Europol’s European Cybercrime Centre (EC3), with support from law enforcement agencies in Latvia, Lithuania, Portugal, Poland, Spain, and the United Kingdom. This action followed several months after a September 2025 operation targeting RaccoonO365, which had been Tycoon2FA’s primary competitor.
As of this report, there have been no arrests or physical asset seizures directly linked to Tycoon2FA. This absence of arrests is considered a major factor limiting the long-term effectiveness of the infrastructure disruption. The rapid recovery of Tycoon2FA highlights a systemic challenge with takedowns that focus solely on infrastructure. Without apprehending the operators, criminal entities can quickly re-establish their services using new hosting providers, fresh domains, and updated IP infrastructure, minimizing any business interruption. Consequently, for organizations relying on Microsoft 365 or Google cloud services, the threat posed by Tycoon2FA remains substantially undiminished.
Post-Disruption Phishing Tactics
Between March 4 and March 6, 2026, CrowdStrike’s Falcon Complete team documented at least 30 suspected Tycoon2FA-enabled phishing incidents. These incidents involved a minimum of 12 distinct decoy and credential-capture pages. The attack methodology remained consistent with established patterns: victims received phishing emails directing them to fraudulent CAPTCHA pages. Upon successful CAPTCHA validation, session cookies were stolen, and an obfuscated JavaScript file was used to proxy the victim’s credentials to a legitimate Microsoft 365 login portal.
Once both credentials and MFA tokens were successfully captured, the Tycoon2FA platform automatically initiated logins to the victim’s Microsoft Entra ID account. These automated logins frequently originated from IPv6 addresses associated with M247 Europe SRL, an internet provider based in Romania.

The operators also employed generative AI to create highly convincing fake websites. These sites were served to users who failed the platform’s geofencing checks, a measure designed to deter and filter out security researchers. Post-disruption campaigns further utilized URL shortener services, embedded links within legitimate presentation platforms, and compromised SharePoint environments from trusted contacts to redirect targets to Tycoon2FA infrastructure. Notably, eight of the eleven IPv6 addresses observed during March 2026 were first seen on or after March 1, indicating that the threat actors rapidly provisioned new infrastructure following the takedown.
What You Should Do
- Reinforce MFA with Conditional Access: Do not rely on MFA as a sole defense. Implement conditional access policies that flag or block logins from unusual IPv6 ranges, unexpected geographic locations, or unrecognized devices.
- Enhance Monitoring for BEC Indicators: Actively monitor Microsoft Exchange and other email platforms for suspicious inbox rule creation, hidden folder activity, or changes in email forwarding settings, which are common precursors to business email compromise (BEC).
- Conduct Regular Employee Training: Provide continuous and up-to-date training to employees on identifying sophisticated phishing emails, especially those leveraging trusted platforms (e.g., SharePoint) or URL shorteners. Emphasize the dangers of clicking unknown links.
- Monitor DNS and Cloud Authentication Logs: Implement robust logging and continuous monitoring of DNS resolution activity and cloud authentication logs. Look for anomalous login attempts, failed MFA challenges, or access from suspicious IP addresses.
- Implement Advanced Email Security: Deploy advanced email security solutions capable of detecting and blocking phishing attempts, spoofed domains, and malicious links before they reach end-users.
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.



No Comment! Be the first one.