Skip to content
.ca
sign in
5 minhigh

Tycoon2FA Phishing-as-a-Service Platform Persists Following Takedown

Following a major law enforcement takedown of its infrastructure on March 4, 2026, the Tycoon2FA Phishing-as-a-Service (PhaaS) platform has quickly reconstituted its operations. The platform continues to enable cybercriminals to bypass multifactor authentication (MFA) using Adversary-in-the-Middle (AiTM) techniques, leading to cloud account takeovers and Business Email Compromise (BEC).

Sens:ImmediateConf:highAnalyzed:2026-03-20reports

Authors: CrowdStrike

ActorsTycoon2FARaccoonO365Salty2FA
PhaaSAitMMFA BypassTycoon2FABEC

Source:CrowdStrike

IOCs · 10

Key Takeaways

  • Europol disrupted Tycoon2FA infrastructure on March 4, 2026, seizing 330 domains, but the platform quickly recovered.
  • Despite a brief drop, Tycoon2FA campaign volume returned to pre-disruption levels within days.
  • The platform continues to use Adversary-in-the-Middle (AiTM) techniques to bypass MFA and steal session cookies.
  • Post-disruption campaigns leverage compromised SharePoint infrastructure, URL shorteners, and Cloudflare developer infrastructure.
  • Attackers establish persistence post-compromise by creating suspicious inbox rules and folders to conceal BEC and financial fraud activities.

Affected Systems

  • Microsoft 365
  • Google Workspace
  • Microsoft Exchange
  • SharePoint

Attack Chain

Victims receive phishing emails directing them to Tycoon2FA CAPTCHA pages, often via malicious URLs, URL shorteners, or compromised SharePoint documents (XLSX/PDF). Upon CAPTCHA validation, a JavaScript file extracts the victim's email address and populates a fake Microsoft 365 or Google login page. The platform uses an obfuscated JavaScript file to proxy the victim's credentials to legitimate cloud services, acting as an Adversary-in-the-Middle (AiTM) to steal session cookies and bypass MFA. Once authenticated, attackers establish persistence by creating suspicious inbox rules and hidden folders to conduct Business Email Compromise (BEC) and financial fraud.

Detection Availability

  • YARA Rules: No
  • Sigma Rules: No
  • Snort/Suricata Rules: No
  • KQL Queries: No
  • Splunk SPL Queries: No
  • EQL Queries: No
  • Other Detection Logic: No

The article does not provide specific detection rules or queries, but outlines behavioral indicators and infrastructure patterns observed by CrowdStrike.

Detection Engineering Assessment

EDR Visibility: Medium — EDR can detect the initial payload execution if a malicious attachment is downloaded, but AiTM and cookie theft primarily occur at the network/browser and cloud identity provider level. Network Visibility: High — Network telemetry and proxy logs are critical for identifying connections to known Tycoon2FA infrastructure, CAPTCHA pages, and unusual authentication proxying. Detection Difficulty: Moderate — AiTM attacks bypass traditional MFA, making them harder to detect solely via authentication logs. Detection requires correlating anomalous login locations/ISPs with subsequent suspicious inbox rule creation.

Required Log Sources

  • Cloud Identity Provider Logs (Azure AD/Google Workspace)
  • Email Gateway Logs
  • Web Proxy/Secure Web Gateway Logs
  • O365 Unified Audit Log

Hunting Hypotheses

HypothesisTelemetryATT&CK StageFP Risk
Look for successful cloud logins originating from unusual ASNs or VPN/VPS providers immediately followed by the creation of inbox rules that move or delete emails containing financial keywords.O365 Unified Audit Log / Cloud Identity LogsPersistenceLow
Search for authentication events where the user agent string or IP address rapidly changes between the initial login and subsequent API access, indicating potential session cookie hijacking.Cloud Identity Provider LogsCredential AccessMedium

Control Gaps

  • Standard MFA (SMS/App Push) is bypassed by AiTM techniques.
  • Email gateways may miss malicious links hosted on legitimate but compromised SharePoint sites.

Key Behavioral Indicators

  • Creation of suspicious inbox rules post-login
  • Creation of hidden folders in Exchange
  • Logins from known proxy/VPS IPs
  • Simultaneous logins from geographically distant locations (impossible travel)

False Positive Assessment

  • Low

Recommendations

Immediate Mitigation

  • Block access to the identified Tycoon2FA domains and monitor for Cloudflare r2.dev/workers.dev abuse.
  • Search O365/Google Workspace environments for newly created, suspicious inbox rules or hidden folders.
  • Revoke active sessions and force password resets for users exhibiting anomalous login behavior.

Infrastructure Hardening

  • Implement FIDO2/WebAuthn hardware security keys, which are resistant to AiTM attacks.
  • Configure conditional access policies to restrict logins to trusted locations and compliant devices.

User Protection

  • Deploy endpoint security solutions capable of inspecting browser traffic for AiTM indicators.
  • Enhance email filtering to aggressively quarantine emails containing links to newly registered domains or suspicious URL shorteners.

Security Awareness

  • Train users to verify the URL in the address bar before entering credentials, even if the page looks identical to Microsoft 365 or Google.
  • Educate employees on the risks of clicking links in unexpected SharePoint or document-sharing notifications.

MITRE ATT&CK Mapping

  • T1566.001 - Phishing: Spearphishing Attachment
  • T1566.002 - Phishing: Spearphishing Link
  • T1556 - Modify Authentication Process
  • T1539 - Steal Session Cookies
  • T1114.003 - Email Collection: Email Forwarding Rule
  • T1564.008 - Hide Artifacts: Email Hidden Rules
  • T1078.004 - Valid Accounts: Cloud Accounts

Related