A coordinated law enforcement and private industry operation led by Europol and Microsoft dismantled Tycoon 2FA, a phishing-as-a-service (PhaaS) platform that used adversary-in-the-middle (AitM) proxying to bypass multi-factor authentication. Over 300 domains were seized. The platform had approximately 2,000 users and used more than 24,000 domains since its 2023 launch, targeting Microsoft 365 and Google accounts. Tycoon 2FA captured credentials, MFA codes, and session cookies in real time, feeding a broader cybercrime ecosystem of credential resale, business email compromise, and ransomware. Trend Micro contributed threat intelligence, infrastructure mapping, and actor attribution, linking the operation to actors using the monikers 'SaaadFridi' and 'Mr_Xaad'. The post also outlines defensive recommendations including phishing-resistant MFA, email security tools, identity posture management, and security awareness training.
Sort: