{"id":15899,"date":"2026-03-05T02:39:20","date_gmt":"2026-03-05T02:39:20","guid":{"rendered":"https:\/\/newestek.com\/?p=15899"},"modified":"2026-03-05T02:39:20","modified_gmt":"2026-03-05T02:39:20","slug":"microsoft-leads-takedown-of-tycoon2fa-phishing-service-infrastructure","status":"publish","type":"post","link":"https:\/\/newestek.com\/?p=15899","title":{"rendered":"Microsoft leads takedown of Tycoon2FA phishing service infrastructure"},"content":{"rendered":"
\n
\n
\n
\n
\n
\n
<\/div>\n<\/section>\n

The infrastructure hosting the Tycoon2FA service, which Europol said was among the largest phishing operations worldwide, has been taken down by a coalition of IT companies and law enforcement agencies.<\/p>\n

At least temporarily, this removes access to one more tool for evading multifactor authentication defenses from threat actors.<\/p>\n

Europol, which coordinated the operation, said Wednesday<\/a> that the technical disruption was led by Microsoft, which got a US court order to seize 330\u00a0active\u00a0domains that powered Tycoon2FA\u2019s core infrastructure, including its control panels and fraudulent login pages.\u00a0At the same time, law enforcement in Latvia, Lithuania, Portugal, Poland, Spain, and the United Kingdom seized the service\u2019s infrastructure in their countries.<\/p>\n

Other IT companies involved in the operation included Cloudflare, Coinbase, Intel471, Proofpoint, the Shadowserver Foundation, SpyCloud, and Trend Micro.<\/p>\n

Microsoft noted that, by mid\u20112025,\u00a0Tycoon2FA\u00a0accounted for approximately 62% of all phishing attempts that it alone had blocked; at one point it intercepted more than 30 million emails in a single month. It believes that Tycoon2FA, sold to threat actors as a phishing-as-a-service operation, is linked to an estimated\u00a096,000\u00a0distinct\u00a0phishing victims worldwide since 2023, including more than 55,000 Microsoft customers.\u00a0\u00a0<\/p>\n

[Related content: US, Microsoft crush Lumma Stealer<\/a>]<\/strong><\/p>\n

The company said that Tycoon2FA\u00a0combined\u00a0convincing phishing templates, realistic landing pages, and real\u2011time capture of credentials and authentication codes into an easy\u2011to\u2011use package that scaled quickly. \u201cBy lowering the technical barrier to entry, it allowed criminals with limited\u00a0expertise\u00a0to run sophisticated impersonation campaigns,\u201d Microsoft said in a blog.\u00a0<\/a><\/p>\n

It noted that Tycoon2FA\u2019s platform enabled threat actors to impersonate trusted brands by mimicking sign-in pages for services like Microsoft 365, OneDrive, Outlook, SharePoint, and Gmail, as well as allowing threat actors using its service to establish persistence. <\/p>\n

Criminals could also access sensitive information, even after passwords were reset, by intercepting session cookies generated during the authentication process while simultaneously capturing user credentials, unless active sessions and tokens were explicitly revoked. The intercepted multi-factor authentication (MFA) codes were subsequently relayed through Tycoon2FA\u2019s proxy servers to the authenticating service.<\/p>\n

Don\u2019t be complacent: Experts<\/h2>\n

This takedown is the latest in a series of IT industry and law enforcement co-operative efforts to go after criminals\u2019 IT infrastructure.<\/p>\n

However, experts warned CSOs and infosec leaders not to become complacent. Cybercrime is so lucrative that either a distribution of this tool will pop up elsewhere, or another tool will take its place.<\/p>\n

\u201cPhishing tools designed to bypass reverse proxies continue to evolve,\u201d noted Robert Beggs<\/a>, head of Canadian incident response firm Digital Defence.\u00a0\u201cCommercial variations such as EvilProxy are commonly found in the wild, and open source toolkits like EvilGinx, Modlishka, EvilPunch are becoming the go-to option for attackers.\u201d<\/p>\n

Johannes Ullrich<\/a>, dean of research at the SANS Institute, noted that access brokers like Tycoon2FA are typically less sensitive to domain takedowns than malware operators who use domains for their command-and-control infrastructure.<\/p>\n

\u201cIt will likely take them a bit of time to rebuild domains to use in their operation,\u201d he said in an email, \u201cbut I doubt they will disappear. On the other hand, there is reason to cheer: at least a temporary reprieve from Tycoon2FA phishing emails.\u201d <\/p>\n

He added, \u201cCSOs should, however, focus on identity security, in particular phishing-resistant authentication technologies. Multi-factor authentication is not sufficient if it is still susceptible to phishing. A recently developed tool, Starkiller, added yet another option for attackers to exploit insufficient MFA configurations.\u201d<\/a><\/p>\n

[Related content: DOJ seizes 41 Russian controlled domains<\/a>]<\/strong><\/p>\n

Beggs pointed out that Tycoon2FA owes its success to being a simple to use system based on a reverse proxy.\u00a0This configuration allows it to bypass the two-factor authentication that most organizations rely on to provide protection against phishing attacks, he said.\u00a0The reverse proxy allows the hostile program, the attacker, to virtually sit in the middle of a transaction, and intercept access credentials and cookies.<\/p>\n

Stringent defenses needed<\/h2>\n

CSOs must employ stringent defenses against tools that use reverse proxies, Beggs said, including strengthening email filtering by enforcing\u00a0DMARC, DKIM, and SPF; enforcing secure session handling at the edge by using client-bound session tokens tied to device or TLS certificates; ensuring continuous validation by issuing a new challenge when the device fingerprint changes and by using short-lived cookies; monitoring network traffic for signs of man-in-the-middle behaviors such as inconsistent host headers, proxy-added headers, and timing discrepancies between client and server flows; and adopting phishing-resistant MFA with tools like FIDO2\/WebAuthn hardware keys, passkeys, or certificate-based authentication.\u00a0<\/p>\n

Because authentication is bound to the origin (domain) and the cryptographic challenges cannot be replayed through a reverse proxy, these methods cannot be proxied, he added.<\/p>\n

How the service worked<\/h2>\n

Tycoon2FA phishing services were advertised and sold to cybercriminals on applications like Telegram and Signal, Microsoft said in a separate blog<\/a>. Prices ranged, but phishing kits started at $120 for 10 days of access to an administrative panel, which served as a single dashboard for configuring, tracking, and refining campaigns.<\/p>\n

For defenders who don\u2019t know how comprehensive these criminal SaaS operations can be, here\u2019s an outline of Tycoon2FA\u2019s service: Campaign operators could configure a broad set of campaign parameters that control how phishing content is delivered and presented to targets. Key settings include lure template selection and branding customization, redirection routing, MFA interception behavior, CAPTCHA appearance and logic, attachment generation, and exfiltration configuration.\u00a0<\/p>\n

Tycoon2FA generated large numbers of subdomains for individual phishing campaigns, used them briefly, then dropped them and spun up new ones.\u00a0<\/p>\n

They could also configure how the malicious content is delivered. Options include generating EML files, PDFs, and QR codes, offering multiple ways to package and distribute phishing lures.<\/p>\n

Operators could track valid and invalid sign-in attempts, MFA usage, and session cookie capture, with victim data organized by attributes such as targeted service, browser, location, and authentication status. Captured credentials and session cookies could be viewed or downloaded directly within the panel and\/or forwarded to Telegram for near\u2011real\u2011time monitoring.<\/p>\n

\u201cTycoon2FA illustrated the evolution of phishing kits in response to rising enterprise defenses, adapting its lures, infrastructure, and evasion techniques to stay ahead of detection,\u201d said Microsoft. <\/p>\n

\u201cAs organizations increasingly adopt MFA, attackers are shifting to tools that target the authentication process itself, instead of attempting to circumvent it. Coupled with affordability, scalability, and ease of use, Tycoon2FA posed a persistent and significant threat to both consumer and enterprise accounts, especially those that rely on MFA as a primary safeguard.\u201d<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n","protected":false},"excerpt":{"rendered":"

The infrastructure hosting the Tycoon2FA service, which Europol said was among the largest phishing operations worldwide, has been taken down by a coalition of IT companies and law enforcement agencies. At least temporarily, this removes access to one more tool for evading multifactor authentication defenses from threat actors. Europol, which coordinated the operation, said Wednesday that the technical disruption was led by Microsoft, which got… <\/p>\n

Read More<\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"inline_featured_image":false,"footnotes":""},"categories":[1],"tags":[],"class_list":["post-15899","post","type-post","status-publish","format-standard","hentry","category-uncategorized","is-cat-link-borders-light is-cat-link-rounded"],"_links":{"self":[{"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/posts\/15899","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=15899"}],"version-history":[{"count":0,"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/posts\/15899\/revisions"}],"wp:attachment":[{"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=15899"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=15899"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=15899"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}