Tycoon2FA AiTM kit reported

Adversary-in-the-middle phishing works like a fake receptionist standing between you and a real login page, passing messages both ways while stealing the session cookie that proves you already passed security. Tycoon2FA is one of the best-known kits built for that job. (microsoft.com) Microsoft and Proofpoint said on March 4, 2026 that Tycoon2FA had grown into a leading phishing-as-a-service platform, with campaigns sending tens of millions of phishing emails and reaching more than 500,000 organizations each month. Microsoft said the service first emerged in August 2023. (microsoft.com) Proofpoint said Tycoon2FA was the highest-volume adversary-in-the-middle phishing threat in its data when the companies and Europol moved to disrupt the service in March 2026. Law enforcement in Latvia, Lithuania, Portugal, Poland, Spain, and the United Kingdom carried out seizures and other operational steps. (proofpoint.com) The key trick is that multifactor authentication can still be defeated if the attacker steals the browser session after the victim logs in. Proofpoint said Tycoon2FA used a reverse proxy, which is a relay server that sits in the middle and captures credentials and authenticated sessions from Microsoft 365 and Google logins. (proofpoint.com) That made the service useful to less-skilled criminals, because they did not need to build their own phishing infrastructure from scratch. Proofpoint said access to the kit started at $120 for 10 days in 2024, with pricing that varied by top-level domain. (proofpoint.com) Microsoft said phishing actors using platforms such as Tycoon2FA have relied on lures tied to voicemails, shared documents, human resources notices, and password resets or expirations. In a January 6, 2026 post, Microsoft said this message vector had seen increased visibility and use since May 2025. (microsoft.com) Proofpoint said Tycoon2FA pages could mimic Microsoft 365 sign-in screens closely enough to include custom branding pulled from Microsoft Entra ID, the identity service formerly called Azure Active Directory. That let fake pages look more like a company’s real login portal. (proofpoint.com) Trustwave said phishing-as-a-service platforms including Tycoon2FA have also used Cloudflare Turnstile, a CAPTCHA check meant to confirm a human clicked the link, along with code obfuscation to make detection harder. Those layers help the phishing page stay online longer and screen out automated scanners. (trustwave.com) The practical defense is to treat every unexpected login prompt as suspect, even when multifactor authentication is enabled. Microsoft and Proofpoint said organizations need phishing-resistant authentication, tighter session controls, and detections tuned for stolen-cookie attacks, because the password is no longer the only thing being stolen. (microsoft.com)