When MFA Fails – Inside the Tycoon2FA Phishing Platform

What is Tycoon2FA phishing?

Tycoon2FA is a phishing-as-a-service (PhaaS) platform first observed in August 2023. It enables large-scale phishing campaigns by providing ready-made tools to cybercriminals.

Developed by the threat actor known as “Storm-1747”, the platform uses adversary-in-the-middle (AiTM) techniques to intercept login sessions and bypass multifactor authentication.

Tycoon2FA has been used in campaigns targeting a wide range of sectors, including education, healthcare, finance, government, and non-profits. At its peak, it supported phishing operations sending tens of millions of messages monthly, impacting over 500,000 organisations worldwide.

This matters because many organisations assume MFA provides sufficient protection against phishing. Platforms like Tycoon2FA are specifically designed to bypass those controls, turning trusted authentication into an attack vector.

How does Tycoon2FA phishing work?

Tycoon2FA campaigns typically begin with phishing emails containing malicious links or attachments. Common lure formats include:

• PDF or Word files with QR codes
• SVG or HTML attachments with hidden redirect logic
• Links disguised as trusted services

These emails use pre-built templates that impersonate services like Microsoft 365, Okta, OneDrive, and DocuSign. Some campaigns also hijack legitimate email threads from compromised accounts to appear more convincing.

Once a victim interacts with the lure, they are redirected to a fake login page hosted by Tycoon2FA. Using AiTM techniques, the attacker captures login credentials and session tokens, allowing them to bypass MFA and gain account access.

Typical attack flow:

1. User receives phishing email or QR lure
2. User is redirected to a fake login page
3. Attacker proxies the real authentication session
4. Credentials and session tokens are captured
5. Attacker gains authenticated access without needing MFA

How Tycoon2FA Takes Over

Once a user clicks a phishing link and lands on a masqueraded login page, Tycoon2FA initiates an AiTM attack. Instead of simply stealing credentials, it proxies the real authentication session between the victim and the legitimate service.

In the example above, the victim is presented with:

• A fake DocuSign-themed page prompting verification
• A real Microsoft login page requesting a device authentication code

The phishing site instructs the user to copy a code from the fake page and enter it into the legitimate Microsoft login window. This is a device code phishing flow, designed to trick the user into authorising access.

Real World Incidents

Tycoon2FA has been linked to large-scale global phishing campaigns, impacting organisations across critical sectors.

• Microsoft reported that they blocked more than 30 million phishing emails in a single month, placing Tycoon2FA among the largest phishing operations globally.
• By mid-2025, Tycoon2FA accounted for approximately 62% of all phishing attempts blocked by Microsoft, highlighting its dominance as one of the most widely used MFA-bypass phishing platforms globally.
• The healthcare and education sectors were the most affected. Notably, over 100 members of Health-ISAC, a global healthcare threat intelligence group, were successfully compromised.

Mitigation Strategies

In terms of potential mitigation strategies, the following configurations and controls will help prevent an account takeover:

• Apply Conditional Access and require secure authentication for privileged and high-risk accounts.
• Enforce phishing-resistant strategies. Use passwordless authentication, phishing-resistant MFA methods such as FIDO2 security keys, Windows Hello for Business, and Microsoft Authenticator passkeys.
• Turn on Zero-hour auto purge (ZAP) in Defender for Office 365 to quarantine sent mail in response to newly acquired threat intelligence.
• Configure automatic attack disruption in Microsoft Defender XDR.
• Via Microsoft Defender for Endpoint, enable network protection and cloud-delivered protection to block phishing campaigns.
• Enable Safe Links & Safe Attachments – this protects against malicious URLs and files in emails and collaboration tools.
• Crucially, educate users to recognise and report phishing emails and associated threats.

A Broader Shift

Tycoon2FA highlights a broader shift in phishing. Attackers are no longer trying to bypass authentication controls directly; they are exploiting how those controls are used in practice.

MFA remains critical, but it is no longer a standalone defence. Session-based attacks, device code phishing, and adversary-in-the-middle techniques are changing what “secure authentication” looks like.

For organisations, the priority is clear. Trust must move beyond credentials and authentication prompts, towards continuous verification, stronger identity controls, and user awareness that reflects how modern phishing actually operates.

---

If you’re looking to assess and improve your cyber security policies and processes, get in touch with our experts.