AI can beat MFA now
Recent security analysis warns that AI‑powered attacks can compromise MFA and authentication apps in minutes, shifting what used to be robust controls into potential liabilities for enterprises. That finding forces audit committees to refresh cyber risk scenarios and consider AI‑specific threat models for controls and breach disclosures. (securityboulevard.com) (cybersecurity-insiders.com)
Microsoft and Europol led a coordinated disruption of the Tycoon 2FA phishing‑as‑a‑service platform and obtained a court order to seize 330 active domains that powered its control panels and fraudulent login pages. (blogs.microsoft.com) Investigators link Tycoon 2FA to more than 96,000 victims worldwide since 2023, including over 55,000 Microsoft customers, and Microsoft says the kit accounted for roughly 62% of phishing attempts it blocked by mid‑2025, including more than 30 million blocked emails in a single month. (cybersecuritydive.com) Technical writeups show Tycoon and sibling kits used adversary‑in‑the‑middle reverse‑proxy architectures to proxy real login pages, capture credentials, MFA codes and session cookies in real time, and allow attackers to replay sessions without breaking cryptography. (labs.cloudsecurityalliance.org) Researchers and vendor analysis described industrialized toolsets—referred to in published research as Starkiller, EvilProxy and Tycoon—that scaled attacks using headless browsers, Cloudflare Workers and other automation to process hundreds of thousands of phishing emails monthly. (labs.cloudsecurityalliance.org) Cloudflare, Coinbase, Proofpoint, Trend Micro and other private partners worked with Microsoft and Europol during the disruption effort, while Coinbase’s intelligence traced crypto payments that funded the service and Proofpoint supplied threat data for Microsoft’s civil filing in the U.S. Southern District of New York. (cloudflare.com) Token presented hardware‑bound biometric devices (Token Ring and Token BioStick) that store fingerprints locally and cryptographically bind authentication to a specific domain as a countermeasure, and the company said insurers and U.S. authorities have signaled support for phishing‑resistant, device‑bound credentials. (lastwatchdog.com) Proofpoint’s supporting declaration named an alleged Tycoon operator, Saad Fridi, and Microsoft characterized the action as a disruption of a subscription‑style PhaaS ecosystem that made large‑scale MFA‑bypass tooling widely accessible to thousands of attackers. (proofpoint.com)
