CyberHappenings logo
Home Browse Watchlists Experimental About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

Tycoon2FA Phishing-as-a-Service Takedown

First reported
Last updated
3 unique sources, 6 articles

Summary

Hide ▲

Tycoon2FA, a subscription-based phishing-as-a-service (PhaaS) platform that bypasses MFA using adversary-in-the-middle techniques, has expanded its capabilities to include device-code phishing attacks targeting Microsoft 365 accounts via OAuth 2.0 device authorization grant flows. The platform, active since August 2023, offers subscription-based access for bypassing multi-factor authentication, targeting major services like Microsoft 365 and Google. It was linked to over 64,000 phishing incidents and facilitated unauthorized access to nearly 100,000 organizations globally by mid-2025. The primary operator, identified as 'SaaadFridi' and 'Mr_Xaad,' remains at large. The platform’s infrastructure relies on adversary-in-the-middle techniques, AI-generated decoy pages, and short-lived domains to evade detection, while customers employ tactics like ATO Jumping to distribute phishing URLs. The platform was disrupted in a March 4, 2026 global takedown led by Europol’s EC3 and law enforcement from six European countries, but rapidly resumed operations within days to pre-disruption levels. Post-disruption, Tycoon2FA operators have continued to develop the kit, adding device-code phishing capabilities that abuse Trustifi click-tracking URLs and OAuth 2.0 flows. The phishing kit now includes a four-layer in-browser delivery chain, fake Microsoft CAPTCHA pages, and extensive anti-analysis protections to evade detection and analysis. Post-compromise activities include business email compromise (BEC), email thread hijacking, cloud account takeovers, and malicious SharePoint links, with old infrastructure remaining active and new domains registered quickly.

Timeline

  1. 04.03.2026 18:00 6 articles · 2mo ago

    Global Takedown of Tycoon2FA Phishing-as-a-Service

    A global operation led by Microsoft and Europol, supported by multiple industry partners, seized infrastructure linked to the Tycoon2FA phishing-as-a-service (PhaaS) operation. Over 330 domains were seized, and the primary operator, identified as using the online identities 'SaaadFridi' and 'Mr_Xaad,' remains at large. The operation was coordinated by Europol and involved law enforcement in Latvia, Lithuania, Portugal, Poland, Spain, and the United Kingdom. The investigation began after intelligence was shared by Trend Micro. Tycoon2FA was linked to over 64,000 phishing incidents and facilitated unauthorized access to nearly 100,000 organizations globally. Following the takedown, Tycoon2FA rapidly recovered to pre-disruption operational levels within days. Initial disruption reduced daily campaigns to 25% of pre-disruption levels, but operators quickly restored operations using compromised domains, legitimate cloud services, IPv6-based automated logins, and AI-generated decoy pages. CrowdStrike observed at least 30 suspected Tycoon2FA-enabled phishing incidents between March 4 and March 6. The platform resumed activity with largely unchanged tactics, techniques, and procedures (TTPs), supporting a diverse set of illegal activities, including business email compromise (BEC), email thread hijacking, cloud account takeovers, and malicious SharePoint links. Post-compromise activities observed include the creation of inbox rules, hidden folders for fraud emails, and preparation for BEC operations. Old infrastructure remained active after the disruption, while new phishing domains and IP addresses were registered quickly following the law enforcement operation. Recent developments reveal that Tycoon2FA operators have expanded the phishing kit to include device-code phishing capabilities, leveraging OAuth 2.0 device authorization grant flows to compromise Microsoft 365 accounts. The kit now abuses Trustifi click-tracking URLs as part of a four-layer in-browser delivery chain, using fake Microsoft CAPTCHA pages and extensive anti-analysis protections. The phishing flow results in Microsoft issuing OAuth access and refresh tokens to attacker-controlled devices, granting unrestricted access to victims' Microsoft 365 data and services. The kit includes a blocklist of 230 vendor names and employs anti-scanning and anti-sandboxing measures to evade detection and analysis.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

Disruption of W3LL phishing ecosystem linked to $20 million in fraud

US and Indonesian authorities dismantled the W3LL phishing platform in a coordinated takedown, seizing infrastructure and arresting the alleged developer responsible for a modular phishing kit that facilitated over $20 million in fraud. The operation targeted a full-service cybercrime platform that enabled credential harvesting via spoofed Microsoft 365 login pages, allowed bypassing multi-factor authentication through adversary-in-the-middle techniques, and supported business email compromise (BEC) attacks from initial access through post-exploitation. The W3LL ecosystem operated from 2019 to 2023 as a members-only marketplace before persisting through encrypted channels, with operations spanning over 17,000 victims globally between 2023 and 2025.

Open in new tab

Abuse of Bubble AI app builder infrastructure in credential phishing campaigns targeting Microsoft accounts

Threat actors are leveraging the no-code AI-powered app-building platform Bubble to host and deliver credential phishing web apps targeting Microsoft accounts. The malicious apps, hosted on Bubble’s trusted *.bubble.io domain, evade email security controls by bypassing static and automated analysis due to their complex JavaScript and Shadow DOM structures. Users are redirected to phishing portals mimicking Microsoft login interfaces, often protected by Cloudflare checks, to harvest credentials for Microsoft 365 access, including email, calendar, and sensitive data.

Open in new tab

Widespread OAuth Device Code Phishing Campaign Targets Microsoft 365 via EvilTokens PhaaS

Since mid-February 2026, a large-scale device code phishing campaign has targeted Microsoft 365 across at least 340 organizations in over 10 countries, escalating 37.5x in early April. The campaign abuses OAuth device authorization flows via the EvilTokens PhaaS platform and at least 10 additional phishing kits (VENOM, DOCUPOLL, SHAREFILE, etc.), granting persistent access tokens even after password resets. Attacks incorporate anti-bot evasion, multi-hop redirect chains via vendor services, and SaaS-themed lures, while mitigation focuses on disabling device code flows and monitoring anomalous authentications. Credential exposures like the Figure breach (967,200 email records) enable follow-on campaigns—credential stuffing, AI-generated phishing, and help desk social engineering—that bypass legacy MFA through real-time phishing relays and social engineering. Legacy MFA and even FIDO2 passkeys are structurally unable to prevent these attacks, which rely on human judgment at critical control points. Phishing-resistant authentication requires cryptographic origin binding, hardware-bound keys, and live biometric verification to close relay and delegation vectors.

Open in new tab

Darktrace Detects 32 Million Phishing Emails in 2025 as Identity Attacks Surge

Darktrace detected over 32 million high-confidence phishing emails in 2025, indicating a significant rise in identity-driven cyber threats. The report highlights the increasing sophistication of phishing tactics, including the use of newly created domains, malicious QR codes, and novel social engineering techniques. Identity compromise has overtaken vulnerability exploitation as the primary entry vector, with attackers leveraging stolen credentials and hijacked tokens to gain access. The report also reveals regional and sector-specific trends, with the Americas accounting for 47% of global security events and manufacturing being a major target for ransomware.

Open in new tab

Starkiller Phishing Kit Bypasses MFA via Proxy-Based Attacks

A new phishing kit called Starkiller has emerged, allowing attackers to bypass multi-factor authentication (MFA) by proxying legitimate login pages. The kit is distributed as a subscription-based service on the dark web, offering real-time session monitoring and keylogging capabilities. It mimics login pages of major services like Google, Microsoft, and banks, routing traffic through attacker-controlled infrastructure to steal credentials and authentication tokens. Starkiller uses Docker containers running headless Chrome instances to serve genuine page content, making it difficult for security vendors to detect or block. The toolkit is sold with updates and customer support, posing a significant escalation in phishing infrastructure. The service is part of a broader cybercrime offering by a threat group called Jinkusu, which provides additional features such as email harvesting and campaign analytics. Starkiller integrates URL shorteners such as TinyURL to obscure the destination URL. It uses a headless Chrome instance inside a Docker container to act as a reverse proxy between the target and the legitimate site. The platform centralizes infrastructure management, phishing page deployment, and session monitoring within a single control panel, combining URL masking, session hijacking, and MFA bypass to streamline phishing operations.

Open in new tab