Inside Tycoon2FA: How a leading AiTM phishing kit operated at scale
Tycoon2FA is a widespread Adversary-in-the-Middle (AiTM) Phishing-as-a-Service platform operated by the threat actor Storm-1747. It enables cybercriminals to bypass standard multifactor authentication (MFA) at scale by intercepting session cookies and credentials using spoofed sign-in pages, custom CAPTCHAs, and complex redirect chains.
Authors: Microsoft Threat Intelligence, Microsoft Digital Crimes Unit (DCU)
Source:
Microsoft
- urlhxxps://branch[.]cricomai[[.]]sa[[.]]com/b@GrBOPttIrJA/*EMAIL_ADDRESSTycoon2FA campaign URL structure (December 2025)
- urlhxxps://immutable[.]nathacha[[.]]digital/T@uWhi6jqZQH7/#?EMAIL_ADDRESSTycoon2FA campaign URL structure (December 2025)
- urlhxxps://mock[.]zuyistoo[[.]]today/pry1r75TisN5S@8yDDQI/$EMAIL_ADDRESSTycoon2FA campaign URL structure (December 2025)
- urlhxxps://mysql[.]vecedoo[[.]]online/JB5ow79@fKst02/#EMAIL_ADDRESSTycoon2FA campaign URL structure (December 2025)
- urlhxxps://qonnfp[.]wnrathttb[[.]]ru/Fe2yiyoKvg3YTfV!/$EMAIL_ADDRESSTycoon2FA campaign URL structure (July 2025)
Key Takeaways
- Tycoon2FA is a highly evasive Adversary-in-the-Middle (AiTM) Phishing-as-a-Service platform that intercepts session cookies to bypass standard MFA.
- The infrastructure relies heavily on Cloudflare, short-lived FQDNs (24-72 hours), and diverse generic TLDs to evade reputation-based blocking.
- Advanced evasion techniques include custom rotating CAPTCHAs, browser fingerprinting, datacenter IP filtering, and dynamic decoy pages to thwart automated analysis.
- Initial access is typically achieved via phishing emails containing QR codes, SVG files with redirect logic, or HTML attachments.
- Stolen credentials and session cookies are exfiltrated in near-real-time via Telegram bots, allowing attackers to establish persistence via inbox rules or new MFA devices.
Affected Systems
- Microsoft 365
- Microsoft Entra ID
- Google Workspace
- Okta
- OneDrive
- SharePoint
- Outlook
Attack Chain
The attack begins with a phishing email containing a malicious attachment (PDF, SVG, HTML) or embedded link. Clicking the link initiates a multilayer redirect chain that leads the victim to a custom CAPTCHA challenge designed to evade automated analysis. Once passed, the victim is presented with a dynamically generated, spoofed sign-in page that relays credentials and MFA prompts to the legitimate service. Upon successful authentication, the AiTM kit captures the session cookie and exfiltrates it via a Telegram bot, granting the attacker persistent access to the compromised account.
Detection Availability
- YARA Rules: No
- Sigma Rules: No
- Snort/Suricata Rules: No
- KQL Queries: Yes
- Splunk SPL Queries: No
- EQL Queries: No
- Other Detection Logic: No
- Platforms: Microsoft Defender XDR, Microsoft Entra ID
Microsoft provides KQL advanced hunting queries to identify suspicious sign-in attempts (e.g., empty DeviceTrustType with high risk) and suspicious URL clicks associated with AiTM attacks.
Detection Engineering Assessment
EDR Visibility: Low — The attack primarily targets cloud identities and session tokens via web browsers, meaning traditional endpoint telemetry (process creation, file writes) will have limited visibility into the core AiTM mechanism. Network Visibility: Medium — While the traffic is encrypted and often routed through legitimate services like Cloudflare, network logs can reveal complex redirect chains and connections to newly registered generic TLDs. Detection Difficulty: Hard — Tycoon2FA uses short-lived domains, custom rotating CAPTCHAs, browser fingerprinting, and dynamic decoy pages to actively evade automated scanners and signature-based detection.
Required Log Sources
- Azure AD Sign-in Logs
- Email Gateway Logs
- Web Proxy Logs
- Cloud App Security Logs
Hunting Hypotheses
| Hypothesis | Telemetry | ATT&CK Stage | FP Risk |
|---|---|---|---|
| Look for successful sign-ins where the DeviceTrustType is empty and the RiskLevelDuringSignIn is medium or high, indicating a potential AiTM session hijack. | Identity/Azure AD Sign-in Logs | Credential Access | Low |
| Identify users who click on URLs in emails that lead to domains registered within the last 24-72 hours, particularly those using generic TLDs like .space or .today. | Email Gateway/Web Proxy Logs | Initial Access | High |
| Detect the creation of new inbox rules or the registration of new MFA devices immediately following a sign-in from an anomalous geolocation or unknown IP address. | Cloud App Security/Identity Logs | Persistence | Medium |
Control Gaps
- Standard MFA (SMS, Push Notifications, OTP)
- Signature-based URL filtering
- Automated sandbox detonation (due to CAPTCHA gates)
Key Behavioral Indicators
- Empty DeviceTrustType during sign-in
- High-risk sign-in events combined with new inbox rules
- Rapid subdomain rotation on generic TLDs
- Use of Cloudflare Workers for intermediary redirect URLs
False Positive Assessment
- Medium. Hunting for generic TLDs or Cloudflare infrastructure will yield high false positives due to legitimate use, but identity-based behavioral detections (like empty DeviceTrustType combined with high risk scores) have significantly lower false positive rates.
Recommendations
Immediate Mitigation
- Reset credentials for any suspected compromised accounts.
- Revoke all active sessions and tokens for compromised users.
- Review and remove any unauthorized inbox rules or forwarding configurations.
- Review and remove recently added or updated MFA devices for affected users.
Infrastructure Hardening
- Enforce phishing-resistant MFA (FIDO2 security keys, Windows Hello for Business, Microsoft Authenticator passkeys) for privileged roles.
- Implement Entra ID Conditional Access authentication strength policies to require phishing-resistant authentication.
- Configure Microsoft Defender for Office 365 to recheck links on click (Safe Links) and enable Safe Attachments.
- Turn on Zero-hour auto purge (ZAP) in Defender for Office 365 to quarantine malicious messages retroactively.
User Protection
- Enable network protection in Microsoft Defender for Endpoint.
- Encourage the use of web browsers that support SmartScreen or similar reputation-based blocking to identify phishing sites.
Security Awareness
- Train users to recognize the signs of spoofed sign-in pages and unexpected MFA prompts.
- Run realistic spear-phishing simulations using tools like Attack Simulator to train end-users against credential harvesting.
MITRE ATT&CK Mapping
- T1566.001 - Phishing: Spearphishing Attachment
- T1566.002 - Phishing: Spearphishing Link
- T1556.006 - Modify Authentication Process: Multi-Factor Authentication
- T1539 - Steal Session Cookie
- T1562.001 - Impair Defenses: Disable or Modify Tools
- T1056.001 - Input Capture: Keylogging
Additional IOCs
- Urls:
hxxps://piwf[.]ariitdc[[.]]es/kv2gVMHLZ@dNeXt/$EMAIL_ADDRESS- Tycoon2FA campaign URL structure (July 2025)hxxps://q9y3[.]efwzxgd[[.]]es/MEaap8nZG5A@c8T/*EMAIL_ADDRESS- Tycoon2FA campaign URL structure (July 2025)hxxps://kzagniw[[.]]es/LI6vGlx7@1wPztdy- Tycoon2FA campaign URL structure (July 2025)hxxps://astro[.]thorousha[[.]]ru/vojd4e50fw4o!g/$ENCODED EMAIL_ADDRESS- Tycoon2FA campaign URL structure (December 2025)hxxps://backend[.]vmfuiojitnlb[[.]]es/CGyP9!CbhSU22YT2/- Tycoon2FA campaign URL structure (December 2025)
- Other:
.space- Generic TLD frequently used for Tycoon2FA campaign domains.email- Generic TLD frequently used for Tycoon2FA campaign domains.solutions- Generic TLD frequently used for Tycoon2FA campaign domains.live- Generic TLD frequently used for Tycoon2FA campaign domains.today- Generic TLD frequently used for Tycoon2FA campaign domains.calendar- Generic TLD frequently used for Tycoon2FA campaign domains.sa[.]com- Second-level domain frequently used for Tycoon2FA campaign domains.in[.]net- Second-level domain frequently used for Tycoon2FA campaign domains.com[.]de- Second-level domain frequently used for Tycoon2FA campaign domains