Storm-1747

Storm-1747 is the Microsoft-tracked threat actor associated with the Tycoon 2FA phishing-as-a-service (PhaaS) platform. The group developed, supported, advertised, and sold Tycoon 2FA to other cybercriminals, including via Telegram and Signal, and leased malicious infrastructure to enable large-scale adversary-in-the-middle (AiTM) phishing operations. Tycoon 2FA was first observed in August 2023 and was described as the most prolific AiTM/PhaaS platform observed by Microsoft in 2025 and into early 2026, at one point accounting for roughly 62% of AiTM phishing attempts Microsoft was blocking monthly and reaching more than 500,000 organizations per month. Microsoft and Europol disrupted Tycoon 2FA infrastructure in March 2026, seizing more than 300 domains; multiple reports state the platform resumed activity afterward. Storm-1747’s operations targeted Microsoft 365, Microsoft Entra ID, Google Workspace, Gmail, Outlook, OneDrive, SharePoint, and other enterprise sign-in workflows. The platform impersonated legitimate sign-in pages and used reverse-proxy/AiTM techniques to relay authentication in real time, steal credentials, MFA codes, authenticated session cookies, and session tokens, and thereby bypass traditional MFA protections. Reported lure delivery included phishing emails with PDF, SVG, HTML, DOCX, and PowerPoint attachments, as well as QR codes. The kit used multi-layer redirect chains and could dynamically load victim organization branding to make phishing pages appear authentic. Reported evasion and anti-analysis features included fake or self-hosted CAPTCHA pages, browser fingerprinting, anti-bot screening, filtering of cloud and hosting IP ranges, developer-tool blocking, automation and analysis-tool detection, heavy code obfuscation, custom JavaScript, dynamic decoy pages, and short-lived rapidly rotating domains and subdomains. Structural variants documented in the content include a WebSocket-based session relay and abuse of OAuth device code flow. For Microsoft-focused compromises, the platform was also reported to establish persistence by registering rogue devices in Entra ID and obtaining primary refresh tokens, allowing continued access even after session revocation. Storm-1747 is also mentioned as one of several threat actors observed leveraging RedVDS infrastructure, with that linkage described in the content as medium confidence based on infrastructure overlap and tool usage. The content also notes hypotheses of overlap between Tycoon2FA and hybrid Salty2FA/Tycoon2FA activity, suggesting a possible connection to Storm-1747, but this is presented as suggestive rather than confirmed. Aliases directly supported by the content: Tycoon 2FA, Tycoon2FA.