In a significant move against cybercrime, Microsoft and Europol, along with other partners, have successfully dismantled the Tycoon 2FA phishing-as-a-service (PhaaS) platform. This platform, notorious for bypassing multifactor authentication (MFA) and facilitating credential theft, was shut down following the seizure of 330 domains used to perpetrate phishing attacks. Active since 2023, Tycoon 2FA was responsible for sending tens of millions of phishing emails monthly.
Disrupting a Major Phishing Operation
The Tycoon 2FA platform allowed cybercriminals to exploit adversary-in-the-middle (AiTM) techniques, capturing sensitive information like credentials and session tokens from users of Microsoft 365 and Gmail services. This dismantling was achieved through a coordinated effort under a U.S. court order and Europol’s Cyber Intelligence Extension Programme (CIEP), marking a significant cross-border public-private takedown.
By mid-2025, this platform was linked to 62% of phishing attempts that Microsoft intercepted, affecting approximately 96,000 victims, including 55,000 Microsoft customers. The healthcare and education sectors experienced severe impacts due to these phishing activities.
Impact on Phishing Activity
The peak of Tycoon 2FA’s activity was observed in November 2025, coinciding with increased phishing activities during the holiday season. During this month, the platform sent approximately 33 million phishing messages, setting a record as the most prolific phishing service tracked by Microsoft. However, a significant reduction in activity was noted by January 2026, with phishing volumes dropping by 57.6% following the coordinated takedown efforts.
This decline indicates the substantial impact of Microsoft’s and Europol’s actions, which led to the disruption of operations for over 500,000 organizations globally. Notably, more than 100 Health-ISAC members experienced phishing attacks, resulting in operational disruptions, such as delayed patient care in New York hospitals and schools.
Technical and Strategic Insights
Tycoon 2FA utilized sophisticated methods, including realistic templates, reverse proxies, and dynamic JavaScript, to relay user inputs to legitimate services and hijack sessions. Its evasion tactics included CAPTCHA, bot filtering, browser fingerprinting, and multi-domain redundancy for data exfiltration. The platform favored domains with .ru, .com, and .es TLDs, employing rapid rotation to avoid detection.
The operation was reportedly managed by Saad Fridi, based in Pakistan, with support from marketing and hosting services like RedVDS. This takedown reflects a broader trend in disrupting the impersonation economy, following previous operations against similar entities.
Organizations are advised to deploy phishing-resistant MFA solutions, such as passkeys and FIDO2 hardware keys, and enforce strict device trust and session controls. Monitoring for proxy anomalies and rapid domain rotations is essential, along with utilizing AI-driven email filters. Collaboration through ISACs remains crucial for sharing telemetry and countering scalable phishing threats.
For more updates on cybersecurity, follow us on Google News, LinkedIn, and X, or contact us to feature your stories.
