Phishing platform rebounds

Tycoon2FA operated as a transparent reverse proxy that relayed victims to genuine identity providers in real time, allowing operators to capture live session tokens and MFA responses rather than only static passwords. (cloudflare.com)) On March 4, 2026, Microsoft and Europol led a coordinated disruption that seized 330 domains associated with Tycoon2FA’s core infrastructure. (microsoft.com)) Despite the seizure, CrowdStrike observed a brief dip in Tycoon2FA activity on March 4–5, 2026 followed by a return to early‑2026 campaign volumes within days, indicating rapid operator recovery. (crowdstrike.com)) Microsoft telemetry shows Tycoon2FA‑powered campaigns reached over 500,000 organizations per month, and some industry reports attribute as much as 62% of Microsoft‑blocked phishing attempts to the kit at its peak in mid‑2025. (microsoft.com)) Investigators found the service was marketed via private Telegram channels as a subscription PhaaS offering, with entry prices reported around $120 for turnkey access to MFA‑bypassing tooling. (cloudflare.com)) Security vendors and recent research characterize this activity as part of a broader “industrialization of deception,” where automated tooling, AI, and coordinated supply chains let criminal syndicates scale domain hijacking and credential‑harvesting campaigns. (techradar.com)) Because the platform captured live cookies and OAuth/session tokens, compromises could yield persistent account access and session hijack rather than one‑time password theft, elevating the impact of successful phishing beyond simple credential reuse. (microsoft.com))