Posted in

Tycoon 2FA Attack Silently Breaks Microsoft MFA

by Rakesh0

A highly sophisticated phishing platform known as the Tycoon 2FA phishing kit is redefining the threat landscape by successfully bypassing multi-factor authentication (MFA) protections on Microsoft Entra ID and Google Workspace accounts.

First observed in August 2023, the kit operates as a Phishing-as-a-Service (PhaaS) offering, allowing cybercriminals to rent advanced attack infrastructure without technical expertise. At its peak, Tycoon 2FA was responsible for nearly 62% of phishing attempts blocked by Microsoft, targeting over 500,000 organizations monthly.

At the center of this activity is a threat actor tracked as Storm-1747, whose operations continue to evolve despite coordinated global takedown efforts.

Key Details

The Tycoon 2FA ecosystem is designed for scale and resilience. Even after a major disruption effort in March 2026—during which Microsoft and Europol seized more than 300 malicious domains—the campaign rapidly recovered.

Within weeks, operators re-established infrastructure and introduced enhancements, including integration with OAuth device code phishing flows, further increasing attack success rates.

Researchers have identified two distinct operational models used by the kit:

  • WebSocket-based session relay attacks
  • Device Code Grant abuse targeting OAuth workflows

Unlike traditional phishing kits, Tycoon 2FA focuses on session hijacking rather than simple credential theft, enabling attackers to bypass MFA protections entirely.

Technical Analysis

Adversary-in-the-Middle (AiTM) Attack Model

Tycoon 2FA uses an Adversary-in-the-Middle (AiTM) technique, acting as a reverse proxy between the victim and legitimate login platforms such as Microsoft 365 or Google Workspace.

The attack flow typically unfolds as follows:

  1. Victim receives a phishing email containing a malicious link or QR code
  2. Link redirects through multiple obfuscation layers
  3. Victim lands on a pixel-perfect replica of the login page
  4. Login credentials and MFA input are relayed in real time
  5. Session cookie is intercepted immediately after authentication

Because the victim completes the MFA challenge successfully, there are no visible signs of compromise.

Session Token Theft

Instead of stealing passwords, the kit captures authenticated session tokens (cookies), which allow attackers to:

  • Access accounts without triggering MFA again
  • Bypass identity verification controls
  • Maintain persistent access until token expiration

This technique aligns with:

  • MITRE ATT&CK T1550 – Use of Valid Accounts
  • T1185 – Browser Session Hijacking

Device Code Grant Abuse

A second attack vector abuses OAuth Device Code flows, commonly used for secure device authentication.

The kit uses known client IDs such as:

  • Microsoft Authentication Broker
  • Google Chrome OAuth client

Attackers trick users into completing a device authentication request, granting access without requiring direct password entry in some scenarios.

Advanced Evasion Techniques

Tycoon 2FA incorporates multiple anti-detection mechanisms:

  • Dynamic payload encryption (CryptoJS with AES-CBC)
  • Visitor filtering based on IP reputation and ASN (blocking researchers)
  • Blocking developer tools and browser inspection
  • Payload deletion after execution
  • Per-session unique payload generation

It also uses WebSocket-based communication channels with identifiable fingerprints, including specific Socket.IO event patterns.

Impact and Risks

The implications of Tycoon 2FA are severe because it directly undermines MFA—a foundational security control.

For Organizations:

  • Unauthorized access to Microsoft 365 and Google Workspace environments
  • Data exfiltration and email compromise
  • Business Email Compromise (BEC) attacks
  • Lateral movement within cloud infrastructure

For Individuals:

  • Account takeover without warning
  • Exposure of sensitive communications and files
  • Financial or identity-based fraud

For Security Teams:

  • Traditional incident response becomes less effective
  • Token-based persistence can survive password resets
  • Delayed detection increases dwell time

One critical risk is that attackers can register rogue devices within Entra ID, generating persistent Primary Refresh Tokens (PRTs) that remain valid even after session revocation.

Expert Recommendations

Defending against AiTM phishing kits like Tycoon 2FA requires a shift beyond traditional MFA models.

Identity and Access Controls:

  • Deploy phishing-resistant MFA such as FIDO2 security keys or passkeys
  • Disable or tightly control OAuth device code flows
  • Enforce Conditional Access policies with device compliance checks

Endpoint and Detection:

  • Monitor for unusual session activity and token anomalies
  • Detect multiple IP logins within short timeframes
  • Integrate identity telemetry into SIEM and XDR platforms

Incident Response:

  • Identify and remove unauthorized registered devices
  • Revoke active tokens along with password resets
  • Audit user sessions and OAuth app permissions

User Awareness:

  • Educate employees on QR code phishing and link-based attacks
  • Encourage reporting of suspicious login prompts

Industry Context

Tycoon 2FA represents a growing shift toward identity-centric attacks, where adversaries target authentication mechanisms rather than endpoint vulnerabilities.

AiTM phishing kits are rapidly becoming the dominant model in credential theft operations, largely due to:

  • Increased adoption of MFA
  • Expansion of SaaS platforms
  • Reliance on browser-based authentication

Similar kits—such as EvilProxy and Modlishka—have also demonstrated MFA bypass capabilities, but Tycoon 2FA stands out for its scalability and service-based model.

The rise of Phishing-as-a-Service platforms is lowering the barrier for cybercriminals, enabling even low-skilled actors to launch highly sophisticated attacks.

Conclusion

The Tycoon 2FA phishing kit signals a critical turning point in cybersecurity: MFA alone is no longer sufficient against modern phishing threats.

With powerful AiTM capabilities, persistent access techniques, and rapid infrastructure recovery, Tycoon 2FA has established itself as one of the most dangerous phishing tools currently in circulation.

Organizations must adapt quickly—shifting toward phishing-resistant authentication and identity-aware security models—to stay ahead of this evolving threat.

FAQ SECTION

What is the Tycoon 2FA phishing kit?

Tycoon 2FA is a phishing-as-a-service platform that steals session tokens to bypass MFA on Microsoft and Google accounts.

How does Tycoon 2FA bypass MFA?

It uses an adversary-in-the-middle technique to intercept authentication sessions and capture valid session cookies after MFA is completed.

Which platforms are targeted by Tycoon 2FA?

The kit primarily targets Microsoft Entra ID (Microsoft 365) and Google Workspace accounts.

What is device code phishing?

It is a technique where attackers trick users into authorizing access through OAuth device code flows, granting unauthorized account access.

How can organizations defend against AiTM phishing attacks?

By implementing phishing-resistant MFA like FIDO2 keys, enforcing conditional access policies, and monitoring session behavior.

Subscribe

Leave a Reply

Your email address will not be published. Required fields are marked *