Tycoon 2FA
Tycoon 2FA is a phishing-as-a-service (PhaaS) adversary-in-the-middle (AiTM) phishing kit first observed in August 2023. It is widely described as one of the most prolific AiTM phishing platforms and has been attributed by Microsoft to Storm-1747. The kit primarily targets Microsoft 365, Microsoft Entra ID, Outlook/Hotmail, SharePoint, OneDrive, Gmail, and Google Workspace accounts, with reporting also noting targeting of Okta and ADFS-backed enterprise identity flows. Its core purpose is to steal usernames, passwords, MFA codes, authenticated session cookies, and session tokens by proxying legitimate authentication flows in real time, allowing attackers to bypass traditional MFA and take over accounts.
Tycoon 2FA is sold or rented to affiliates as a turnkey service, including a web-based administration panel, campaign management features, templates, lure attachments, redirect logic, victim tracking, and API support. Reported delivery methods include phishing emails containing links or QR codes, often embedded in PDF, SVG, HTML, or PowerPoint attachments, as well as use of compromised accounts for follow-on distribution (“ATO Jumping”). Lures have impersonated voicemail notifications, invoices, document-sharing prompts, account-security alerts, and ICANN-related verification notices. The kit can dynamically load victim organization branding to produce convincing Microsoft or Google login pages.
The platform uses extensive anti-analysis and evasion tradecraft. Reported features include browser fingerprinting, CAPTCHA or fake HumanCheck gates, filtering of cloud/hosting/security-vendor IP ranges, checks for navigator.webdriver, PhantomJS artifacts, and Burp-related user agents, suppression of developer tools and right-click, debugger timing traps, heavy client-side obfuscation, per-victim encrypted payloads, DOM self-removal after execution, rapid domain rotation, abuse of Cloudflare Workers, and use of open redirects. Some reporting describes WebSocket/Socket.IO-based real-time relay for classic credential/session theft.
Multiple sources describe a Microsoft-focused persistence mechanism in which operators register a rogue device in Entra ID and obtain a primary refresh token, allowing continued access even after session revocation. Reporting also states Tycoon 2FA operators repurposed the framework in 2026 for OAuth device-code phishing against Microsoft 365, coercing victims to complete legitimate microsoft.com/devicelogin flows for the Microsoft Authentication Broker application (AppId 29d9ed98-a469-4536-ade2-f981bc1d605e). In that variant, the attack relied on user authorization of token issuance rather than direct password theft. Elastic also documented Google-related OAuth usage, including client ID 77185425430.apps.googleusercontent.com and scope https://www.google.com/accounts/OAuthLogin.
Observed infrastructure and telemetry in reporting include phishing chains using Trustifi click-tracking URLs, Cloudflare Workers subdomains, Tycoon 2FA “Check Domain” logic, and backend communications protected with CryptoJS AES-CBC using hardcoded key/IV 1234567890123456 in some variants. Reported operator activity included Node.js-style user agents such as "node," "axios," "node-fetch," and "undici," and Alibaba Cloud AS45102 infrastructure in the 2026 device-code campaign. Example domains and URLs cited in reporting include cookies[.]28gholland[.]workers[.]dev, shivacrio[.]com/bytecore~tx1j8, fijothi[.]com, and phishing infrastructure on newly registered .contractors domains and other lookalike domains.
Tycoon 2FA has been linked to very large-scale phishing activity. Microsoft reported that by mid-2025 it accounted for about 62% of phishing attempts the company blocked, reached more than 500,000 organizations per month, and generated tens of millions of phishing emails monthly, including more than 30 million in a peak month. Reporting also cites roughly 96,000 distinct victims since 2023, including more than 55,000 Microsoft customers. Healthcare and education are repeatedly identified as heavily impacted sectors, though finance, government, non-profit, legal, real estate, construction, and technology organizations are also mentioned.
In March 2026, Microsoft, Europol, and multiple public- and private-sector partners disrupted Tycoon 2FA infrastructure, seizing approximately 330 domains associated with control panels and phishing pages. Despite that action, several sources report that operators or cloned deployments resumed activity within weeks, and that Tycoon 2FA code, tooling, and tradecraft continued to circulate across independent or modified deployments and related phishing ecosystems. Downstream impacts associated with Tycoon 2FA-enabled compromises include account takeover, data theft, business email compromise, wire fraud, financial fraud, resale of access, and potential ransomware follow-on activity.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
A powerful phishing kit known as Tycoon 2FA has been making waves across the cybersecurity world since it first appeared in August 2023. The kit operates as a Phishing-as-a-Service (PhaaS) platform... Its primary goal is to steal authenticated session tokens from Microsoft 365 and Google Workspace accounts by sitting silently between the victim and the real login page.
Techniques & procedures
26 distinct techniques documented for this family, organized by ATT&CK tactic.
Reconnaissance
2 techniques
Reconnaissance
Resource Development
1 technique
Resource Development
Initial Access
4 techniques
Initial Access
A single successful consent yields working tokens for the entire Microsoft 365 surface area while appearing in Entra telemetry as a normal Microsoft application. | The broader shift toward abusing OAuth Device Authorization Grant flows to compromise Microsoft 365 accounts... The phish does not bypass MFA - it changes what MFA is being used to authorize.
The attack begins with a phishing email carrying a link or QR code embedded in a PDF, SVG, HTML, or PowerPoint file.
Kalasteluviestejä luodaan kohdennetusti eri organisaatioille ja käyttäjärooleille, mikä lisää onnistumisen todennäköisyyttä. | Palvelun asiakkaat puolestaan hyödyntävät kaapattuja laillisia verkkotunnuksia ja hosting-palveluita ohjatakseen uhrit eteenpäin tähän kalasteluinfrastruktuuriin.
Execution
1 technique
Execution
Persistence
5 techniques
Persistence
A single successful consent yields working tokens for the entire Microsoft 365 surface area while appearing in Entra telemetry as a normal Microsoft application. | The broader shift toward abusing OAuth Device Authorization Grant flows to compromise Microsoft 365 accounts... The phish does not bypass MFA - it changes what MFA is being used to authorize.
The kit uses the urn:ms-drs:enterpriseregistration.windows.net access token to POST endpoint EnrollmentServer/device... DRS creates a device object, assigns a device ID, signs and returns a device certificate.
Privilege Escalation
3 techniques
Privilege Escalation
A single successful consent yields working tokens for the entire Microsoft 365 surface area while appearing in Entra telemetry as a normal Microsoft application. | The broader shift toward abusing OAuth Device Authorization Grant flows to compromise Microsoft 365 accounts... The phish does not bypass MFA - it changes what MFA is being used to authorize.
Stealth
7 techniques
Stealth
the web pages used by Saiga feature the widely used ‘lorem ipsem’ pseudo-Latin placeholder text in the metadata fields. This text is semantically meaningless and does not indicate the page’s purpose or function, helping attackers to avoid triggering keyword-based detection systems and brand impersonation heuristics.
A single successful consent yields working tokens for the entire Microsoft 365 surface area while appearing in Entra telemetry as a normal Microsoft application. | The broader shift toward abusing OAuth Device Authorization Grant flows to compromise Microsoft 365 accounts... The phish does not bypass MFA - it changes what MFA is being used to authorize.
It filters visitors from cloud and hosting IP ranges, blocks developer tools, detects automation frameworks, and removes its own malicious code from the page after execution.
It filters visitors from cloud and hosting IP ranges, blocks developer tools, detects automation frameworks, and removes its own malicious code from the page after execution.
Defense Impairment
1 technique
Defense Impairment
Credential Access
6 techniques
Credential Access
...harvest Microsoft credentials and tokens in real-time, effectively allowing the threat actors to bypass multi-factor authentication (MFA).
The attack begins when a victim clicks a Trustifi click-tracking URL in a lure email and culminates in the victim unknowingly granting OAuth tokens to an attacker-controlled device through Microsoft's legitimate device-login flow...
AitM-компонент выхватывает этот валидный код, передает его на настоящий сервер, успешно завершает сессию и эксфильтрует долгоживущий сессионный токен (Session Cookies).
The kit can register a rogue device in Entra ID, obtaining a primary refresh token that stays valid even after a defender revokes the compromised user’s sessions.
Discovery
6 techniques
Discovery
It filters visitors from cloud and hosting IP ranges, blocks developer tools, detects automation frameworks, and removes its own malicious code from the page after execution.
Lateral Movement
1 technique
Lateral Movement
Collection
1 technique
Collection
Command and Control
3 techniques
Command and Control
Elastic said in a report that the kit uses two structural variants, WebSocket-based session relay and device-code-grant abuse, to carry out attacks against different cloud identity platforms.
IOCs tracked for this family
16 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Other indicator types observed in public reporting.
Recent activity
18 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Tycoon 2FA is a phishing-as-a-service adversary-in-the-middle kit that steals authenticated session tokens from Microsoft 365 and Google Workspace users, allowing attackers to bypass MFA. It uses reverse-proxy relays, WebSocket-based session relay, and device-code-grant abuse, and can establish persistence by registering rogue devices in Entra ID to obtain primary refresh tokens.
An adversary-in-the-middle phishing kit and PhaaS platform that proxies real Microsoft 365/Entra ID and Google Workspace login flows, captures post-MFA session tokens, and enables account takeover. The Microsoft-focused variant also abuses OAuth device code flow and can register rogue devices to obtain a primary refresh token for persistence.
Tycoon 2FA is a phishing-as-a-service kit used to compromise Microsoft 365 accounts. In this campaign it was repurposed from credential-relay phishing to OAuth device-code phishing, using layered in-browser delivery, anti-analysis checks, Check Domain gating, and AES-encrypted backend coordination to obtain Microsoft-issued tokens without directly capturing passwords.
A phishing-as-a-service platform and adversary-in-the-middle phishing kit used to bypass MFA, capture session cookies in real time, and compromise accounts at scale. The content also notes anti-analysis, anti-debugging, and redirection capabilities, and that cloned or modified variants continue circulating after infrastructure takedown.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.