The Tycoon 2FA phishing kit has emerged as a formidable threat in the cybersecurity landscape since August 2023. Designed as a Phishing-as-a-Service (PhaaS) platform, it allows cybercriminals to rent and deploy the kit with minimal effort. The primary target of Tycoon 2FA is to hijack authenticated session tokens from Microsoft 365 and Google Workspace accounts, bypassing multi-factor authentication (MFA) measures.
Impact and Reach of Tycoon 2FA
This phishing tool poses a significant risk as it circumvents MFA entirely. During its peak, Tycoon 2FA was responsible for about 62% of phishing attempts intercepted by Microsoft, affecting over half a million organizations monthly. The campaign was linked to a threat actor known as Storm-1747 and is prominently featured in malware trend trackers, such as ANY.RUN.
Elastic Security Labs has analyzed the kit’s operations within Microsoft Entra ID and Google Workspace. Their findings reveal that Tycoon 2FA uses two main structural variants—WebSocket-based session relay and device-code-grant abuse—to exploit different cloud identity platforms, highlighting its deep integration into the phishing ecosystem.
Resilience and Adaptation
Despite a coordinated takedown in March 2026 led by Microsoft and Europol, which resulted in the seizure of over 300 domains, the operators of Tycoon 2FA quickly adapted. Within weeks, they resumed their activities, employing infrastructure changes and blending their tactics with OAuth Device Code phishing, demonstrating their professionalism and resourcefulness.
The Tycoon 2FA’s persistence and sophistication make it a crucial threat to address. Organizations relying solely on traditional MFA are vulnerable, as the kit’s session token theft bypasses these defenses. Understanding the inner workings of Tycoon 2FA is vital for developing effective protective measures.
Technical Operation and Defense Strategies
Tycoon 2FA does not capture credentials in the traditional sense. Instead, it acts as a reverse proxy, intercepting session tokens without the victim’s knowledge. The attack typically begins with a phishing email containing a link or QR code, redirecting the victim to a convincing replica of the legitimate login page. Once the MFA process is completed, the kit captures the session cookie, granting attackers access to the account without further authentication prompts.
Elastic recommends implementing phishing-resistant MFA solutions like FIDO2 security keys to counteract these tactics. Additional measures include enforcing device compliance, blocking unauthorized device code flows, and enabling token protection. Security teams must also thoroughly enumerate and remove registered devices before revoking sessions to disrupt the kit’s persistence mechanisms.
Indicators of Compromise (IoCs) identified by Elastic Security Labs provide crucial insights into Tycoon 2FA’s operations, helping organizations recognize and counteract this sophisticated threat.
For the latest updates, follow us on Google News, LinkedIn, and X. Set Cyber Security News as a preferred source for timely cybersecurity insights.
