Skip to content
.ca
sign in
4 minhigh

Europol, Microsoft, TrendAI™ and Collaborators Halt Tycoon 2FA Operations

A coordinated international law enforcement and private sector operation successfully disrupted Tycoon 2FA, a prominent Phishing-as-a-Service (PhaaS) platform. The service enabled low-skill attackers to bypass multi-factor authentication (MFA) using adversary-in-the-middle (AitM) techniques to harvest credentials and session cookies, which were subsequently used for BEC and ransomware attacks.

Conf:highAnalyzed:2026-03-04reports

Authors: Christopher Boyton, Mayra Rosario Fuentes, Stephen Hilt

ActorsTycoon 2FASaaadFridiMr_Xaad
Tycoon 2FATakedownPhaaSAitMMFA Bypass

Source:Trend Micro

Key Takeaways

  • Tycoon 2FA, a major Phishing-as-a-Service (PhaaS) platform, was taken offline in a coordinated law enforcement and private sector operation.
  • The platform utilized adversary-in-the-middle (AitM) proxying to bypass traditional MFA and capture session cookies in real time.
  • Over 300 domains tied to Tycoon 2FA were seized, disrupting a service that had approximately 2,000 users and utilized over 24,000 domains since August 2023.
  • TrendAI™ linked the operation to an actor using the monikers 'SaaadFridi' and 'Mr_Xaad', who previously focused on web defacements.
  • Victimology data indicates the majority of targets were located in the United States (51.9%), followed by the UK, Germany, Norway, and Canada.
  • Stolen sessions from Tycoon 2FA frequently fed into broader cybercrime ecosystems, enabling Business Email Compromise (BEC), data theft, and ransomware.

Affected Systems

  • Microsoft 365
  • Google Workspace
  • SSO Platforms
  • GoDaddy
  • ADFS
  • Okta

Attack Chain

Attackers subscribe to the Tycoon 2FA PhaaS platform to deploy ready-to-use phishing toolkits with minimal setup. The toolkit uses an adversary-in-the-middle (AitM) proxy to sit between the victim and legitimate login pages (such as Microsoft 365 or Google). As the victim logs in, the proxy captures credentials, MFA codes, and session cookies in real time. These stolen session cookies are then replayed by attackers or sold to access brokers to bypass MFA and facilitate follow-on attacks such as Business Email Compromise (BEC), data theft, or ransomware deployment.

Detection Availability

  • YARA Rules: No
  • Sigma Rules: No
  • Snort/Suricata Rules: No
  • KQL Queries: No
  • Splunk SPL Queries: No
  • EQL Queries: No
  • Other Detection Logic: No

No specific detection rules or queries are provided in the article.

Detection Engineering Assessment

EDR Visibility: Low — AitM phishing primarily occurs at the network and identity provider level, capturing session cookies before any malicious payload reaches the endpoint EDR. Network Visibility: High — Network logs, proxy logs, and email gateways are primary detection points for identifying AitM domains, anomalous login locations, and suspicious proxy traffic. Detection Difficulty: Moderate — Detecting AitM requires correlating impossible travel, anomalous session cookie usage from new ASNs, and new device logins, which can be prone to false positives if not tuned correctly.

Required Log Sources

  • Email Gateway Logs
  • Web Proxy Logs
  • Identity Provider (IdP) Sign-in Logs
  • MFA Telemetry
  • Cloud Audit Logs

Hunting Hypotheses

HypothesisTelemetryATT&CK StageFP Risk
Look for successful logins originating from anomalous or previously unseen IP addresses/ASNs immediately following an MFA challenge, indicating potential session cookie replay.IdP Sign-in LogsCredential AccessMedium
Search for multiple failed login attempts followed by a successful login and immediate changes to inbox rules or MFA device registration.Cloud Audit LogsPersistenceLow

Control Gaps

  • Traditional MFA (SMS/TOTP) without FIDO2 or phishing-resistant controls
  • Lack of session binding to specific devices or IP addresses

Key Behavioral Indicators

  • Anomalous session cookie usage from new ASNs
  • Impossible travel alerts tied to session token reuse
  • Connections to known AitM proxy infrastructure

False Positive Assessment

  • Low

Recommendations

Immediate Mitigation

  • Revoke active sessions for users suspected of compromise.
  • Reset passwords for affected accounts.
  • Review and remove any unauthorized inbox rules or newly registered MFA devices.

Infrastructure Hardening

  • Implement phishing-resistant MFA (e.g., FIDO2 security keys or certificate-based authentication).
  • Enable conditional access policies restricting logins to known devices, compliant endpoints, or trusted locations.
  • Implement Identity Security Posture Management (ISPM) to track account compromise risks and weak authentication methods.

User Protection

  • Deploy advanced email and collaboration security solutions to detect lateral phishing, advanced phishing, and domain impersonation.
  • Enable URL and web content inspection with real-time alerts for fake websites and credential harvesting forms.

Security Awareness

  • Conduct regular phishing simulation assessments to identify human risk.
  • Train employees on identifying AitM phishing pages and verifying URLs before entering credentials.

MITRE ATT&CK Mapping

  • T1566 - Phishing
  • T1556 - Modify Authentication Process
  • T1111 - Two-Factor Authentication Interception
  • T1539 - Steal Session Cookie
  • T1078 - Valid Accounts

Related