Cybercriminals operating the Tycoon2FA phishing service have quickly resumed their targeting of cloud accounts following a major law enforcement intervention. On March 4, 2026, Europol, in collaboration with six countries, dismantled 330 domains associated with the platform. Despite this significant disruption, the operators rapidly rebuilt, showcasing their resilience in the face of adversity.
Swift Resurgence of Tycoon2FA
The Tycoon2FA platform, known for its subscription-based model, first emerged in 2023, offering tools to bypass multifactor authentication (MFA). Utilizing adversary-in-the-middle (AITM) tactics, it intercepts live authentication sessions between users and legitimate login pages. By mid-2025, the platform dominated the phishing landscape, responsible for 62% of thwarted phishing attempts by Microsoft and sending over 30 million malicious emails monthly.
Following the March 4 takedown, CrowdStrike analysts noted an immediate decline in Tycoon2FA’s activity, dropping to 25% of previous levels. However, this was short-lived. Within days, activity levels rebounded to those seen earlier in 2026, with the phishing campaigns resuming unabated. Crucially, the platform’s strategies remained unchanged, indicating the core service continued to operate.
Challenges in Combating Phishing Networks
The operation led by Europol’s European Cybercrime Centre (EC3) involved law enforcement from multiple nations, yet did not result in any arrests or the seizure of physical assets connected to Tycoon2FA. This limitation has hindered the long-term effectiveness of the disruption, as the operators quickly adapted by securing new hosting services, domains, and IP infrastructure.
This scenario highlights the challenges of infrastructure-only takedowns. Without arrests, operators can swiftly re-establish operations, minimizing business interruptions. For organizations reliant on Microsoft 365 or Google cloud services, this means the threat persists at full strength.
Post-Takedown Phishing Tactics
Between March 4 and March 6, 2026, CrowdStrike’s Falcon Complete team addressed numerous incidents linked to Tycoon2FA, involving decoy and credential-capture pages. The attack chain typically involved phishing emails leading victims to fake CAPTCHA pages, with session cookies stolen after CAPTCHA validation. Credentials and MFA tokens were then used to log into victims’ Microsoft EntraID accounts via Romanian-based IPv6 addresses.
Generative AI was employed to create convincing fake websites, bypassing geofencing checks designed to exclude security researchers. The campaigns also utilized URL shorteners, links from legitimate presentation platforms, and compromised SharePoint environments to direct targets to Tycoon2FA’s infrastructure. Notably, eight of the 11 IPv6 addresses were newly observed post-takedown, indicating a rapid infrastructure acquisition.
Organizations should not rely solely on MFA for defense. Security teams must monitor suspicious inbox rule creation and hidden folder activity in Microsoft Exchange, early indicators of business email compromise. Continuous training is essential to help employees recognize phishing attempts through trusted platforms or URL shorteners. Implementing conditional access policies and monitoring DNS resolution and cloud authentication logs are vital for early detection of Tycoon2FA intrusions.
