“Microsoft and Europol Collaborate to Dismantle Tycoon 2FA Phishing Operation”

Microsoft, Europol, and collaborators have dismantled the Tycoon 2FA phishing-as-a-service (PhaaS) network, confiscating 330 domains utilized for credential theft and MFA evasion. This collaborative initiative disrupts a service that has been operational since 2023, generating tens of millions of phishing emails each month.

Tycoon 2FA allowed cybercriminals to circumvent multifactor authentication (MFA) through adversary-in-the-middle (AiTM) strategies, gathering credentials, session tokens, and immediate authentication codes for platforms like Microsoft 365 and Gmail.

Following a U.S. court mandate and Europol’s Cyber Intelligence Extension Programme (CIEP), Microsoft spearheaded the acquisition of control panels and counterfeit login pages, marking the first such international public-private operation.

The platform was responsible for 62% of phishing attempts Microsoft blocked by mid-2025, affecting 96,000 victims, including 55,000 customers of Microsoft, significantly impacting the healthcare and education sectors.

In November 2006, Tycoon 2FA nearly doubled its output from the previous month, likely due to the surge in holiday-season phishing activities and a rise in PhaaS (Phishing as a Service) subscriber engagement. This increase culminated in approximately 33 million messages dispatched in one month, rendering it the most prolific phishing service ever monitored by Microsoft.

The notable decline registered in January 2026 suggests a considerable disruption. From November 2025 to January 2026, the number of phishing messages dropped by around 57.6% from its maximum. This reduction aligns with Microsoft’s infrastructure seizures and cooperative actions with Europol during that period.

In total, the estimated volume of phishing messages from October 2025 to January 2026 was about 87.5 million, aiming at over 500,000 entities worldwide.

Over 100 Health-ISAC members were targeted, resulting in operational disruptions such as delayed patient care in hospitals and schools in New York.

Collaborators, including Proofpoint, Intel 471, eSentire, Cloudflare, SpyCloud, Resecurity, Coinbase, and Shadowserver, offered telemetry, intelligence, and infrastructure takedowns across jurisdictions like Latvia and the UK.

Tycoon 2FA Phishing Kit Dismantled

Tycoon 2FA employed realistic templates, reverse proxies, and dynamic JavaScript to transmit victim inputs to legitimate services, hijacking sessions without alerts.

Evasion functionalities included CAPTCHA, bot filtering, browser fingerprinting, Base64/LZ compression, DOM vanishing, and multi-domain redundancy for data exfiltration, as per the Microsoft report.

Domains preferred .ru, .com, and .es TLDs, featuring rapid rotation and DGA-like generation to evade blocks.

Run by Saad Fridi (Pakistan-based) with marketing and support partners, it integrated with services like RedVDS for hosting and email spam. This reflects the impersonation economy, where disruptions cascade: earlier takedowns of Lumma Stealer, RaccoonO365, and Fake ONNX forced transitions to Tycoon.

MITRE ATT&CK mappings underscore its focus:

Implement passkeys, FIDO2 hardware keys, or phishing-resistant MFA over SMS/TOTP; enforce device trust and session regulations. Monitor for proxy anomalies, suspicious logins, and rapid domain rotations using threat intel feeds.

Block known IOCs and activate AI-driven email filters. Organizations should join ISACs for shared telemetry, as no single entity can combat scalable AiTM PhaaS alone.

Sustained disruptions elevate costs for operators, driving strict access and shutdowns, thereby reshaping the cybercrime landscape.