Global Operation Dismantles 'Tycoon 2FA' Phishing Service

First appearing in August 2023, the Tycoon 2FA service was sold on private Telegram channels for as low as $120 for 10 days of access. This subscription gave cybercriminals a turnkey platform to defeat multi-factor authentication, even for less-skilled actors. The primary developer is believed to be a threat actor tracked as Storm-1747, with Microsoft and Health-ISAC filing a lawsuit against an alleged creator, Saad Fridi. The service operated as a transparent reverse proxy, sitting between a user and legitimate services like Microsoft 365 or Gmail. This adversary-in-the-middle (AiTM) technique allowed the real-time relay of authentication prompts, capturing not just credentials but also the live session tokens and cookies needed to bypass MFA methods like SMS codes and authenticator apps. At its peak, Tycoon 2FA was responsible for approximately 62% of all phishing attempts blocked by Microsoft and sent tens of millions of phishing emails monthly. The operation compromised nearly 100,000 organizations globally, with a heavy focus on the U.S., and targeted sectors from healthcare and education to finance and government. The takedown was a coordinated effort involving Europol and private partners like Microsoft, Cloudflare, and Trend Micro. The operation seized over 330 domains that formed the criminal backbone of the service. For infrastructure that couldn't be legally seized, Cloudflare implemented interstitial warning pages to block access to remaining phishing links. Technically, the phishing kits abused Cloudflare Workers to host malicious logic and proxy traffic through malicious domains. The kits used obfuscated JavaScript and CAPTCHA challenges to evade detection by automated security tools and researchers. After successfully capturing a session, attackers often pivoted to Business Email Compromise (BEC) attacks, sending fraudulent invoices from the trusted, authenticated account. For detection engineering, defenders should hunt for anomalous session cookie usage and logins from unfamiliar geolocations or residential proxy networks, as 75% of operator logins came from such obfuscated infrastructure. Microsoft Defender XDR can raise alerts for stolen session cookie use, such as "User compromised through session cookie hijack." Monitoring for domains associated with Tycoon 2FA and specific JavaScript behaviors are also key detection opportunities. This incident underscores the necessity of the User & Identity pillar within a Zero Trust architecture. Traditional MFA is fallible to AiTM attacks, highlighting the need for phishing-resistant authenticators like FIDO2-compliant hardware keys. Continuously verifying user sessions and assuming breach are core Zero Trust tenets that directly counter the threat of session token replay.