Tycoon 2FA AiTM Kit Bypasses MFA on Entra ID and Google Workspace Accounts
Cybersecurity NewsArchived May 27, 2026✓ Full text saved
A powerful phishing kit known as Tycoon 2FA has been making waves across the cybersecurity world since it first appeared in August 2023. The kit operates as a Phishing-as-a-Service (PhaaS) platform, meaning cybercriminals can rent and deploy it without building anything from scratch. Its primary goal is to steal authenticated session tokens from Microsoft 365 […] The post Tycoon 2FA AiTM Kit Bypasses MFA on Entra ID and Google Workspace Accounts appeared first on Cyber Security News .
Full text archived locally
✦ AI Summary· Claude Sonnet
HomeCyber Security News
Tycoon 2FA AiTM Kit Bypasses MFA on Entra ID and Google Workspace Accounts
By Tushar Subhra Dutta
May 27, 2026
A powerful phishing kit known as Tycoon 2FA has been making waves across the cybersecurity world since it first appeared in August 2023.
The kit operates as a Phishing-as-a-Service (PhaaS) platform, meaning cybercriminals can rent and deploy it without building anything from scratch.
Its primary goal is to steal authenticated session tokens from Microsoft 365 and Google Workspace accounts by sitting silently between the victim and the real login page.
What makes Tycoon 2FA especially dangerous is that it defeats multi-factor authentication entirely. At its peak, the kit accounted for roughly 62% of phishing attempts blocked by Microsoft, hitting over 500,000 organizations every single month.
Microsoft’s threat intelligence team attributed the campaign to a threat actor tracked as Storm-1747, and the kit currently sits at the top of ANY.RUN’s malware trends tracker.
Analysts at Elastic Security Labs identified the mechanics behind the kit and documented how it operates across both Microsoft Entra ID and Google Workspace environments.
Elastic said in a report shared with Cyber Security News (CSN) that the kit uses two structural variants, WebSocket-based session relay and device-code-grant abuse, to carry out attacks against different cloud identity platforms. Their findings shed light on just how embedded this threat has become in the modern phishing landscape.
Even a coordinated March 2026 takedown led by Microsoft and Europol, which seized over 300 domains, could not stop the campaign for long.
Operators bounced back within weeks, adapting their infrastructure and blending their methods with OAuth Device Code phishing flows, as documented by eSentire in late April 2026. The kit’s resilience reflects how professional and well-resourced the group behind it really is.
The scale and sophistication of Tycoon 2FA make it one of the most consequential phishing threats active today.
Example of a Tycoon custom CAPTCHA page (Source – Elastic)
Organizations relying solely on traditional MFA are not protected, as this kit bypasses those controls through session token theft. Understanding how the kit works is the first step toward building defenses that can hold up.
How Tycoon 2FA Bypasses MFA
Tycoon 2FA does not steal credentials the old-fashioned way. Instead, it acts as a reverse proxy, standing between the victim and the real Microsoft or Google login page and relaying everything in real time.
The victim completes their MFA challenge normally, never knowing the kit intercepted the session token the moment it was issued. The attack begins with a phishing email carrying a link or QR code embedded in a PDF, SVG, HTML, or PowerPoint file.
The link routes through a multi-layer redirect chain before landing on a pixel-perfect replica of the target login page, often loaded with the victim’s organization branding pulled directly from the real service.
Once the victim finishes MFA, the kit captures the session cookie and hands it to the attacker, who can then access the account without any further prompts.
Evasion and Post-Compromise Persistence
Tycoon 2FA is built to survive incident response. The kit can register a rogue device in Entra ID, obtaining a primary refresh token that stays valid even after a defender revokes the compromised user’s sessions.
This means the standard “revoke sessions and reset password” playbook is no longer enough to fully contain a Tycoon 2FA compromise.
Microsoft – Kit relay detection (Source – Elastic)
Beyond persistence, the kit takes extreme steps to avoid analysis. It filters visitors from cloud and hosting IP ranges, blocks developer tools, detects automation frameworks, and removes its own malicious code from the page after execution.
Each victim receives a uniquely encrypted payload seeded with per-session values, making signature-based detection nearly impossible.
To defend against this threat, Elastic recommends deploying phishing-resistant MFA such as FIDO2 security keys or passkeys, since these are the only methods immune to AiTM session theft.
Organizations should also enforce device compliance through Conditional Access, block device code flows for all users except approved scenarios, and enable token protection to bind tokens to specific devices.
Defenders must carefully enumerate and delete registered devices before revoking sessions to fully break the device-PRT persistence chain.
Indicators of Compromise (IoCs):-
The following indicators were documented by Elastic Security Labs in their analysis of Tycoon 2FA campaigns.
Type Indicator Description
Client App ID 29d9ed98-a469-4536-ade2-f981bc1d605e Microsoft Authentication Broker client ID used by the kit relay for device-code-grant abuse and PRT minting
OAuth Client ID 77185425430.apps.googleusercontent.com Google Chrome OAuth client targeted in every Google Workspace relay session
OAuth Scope https://www.google.com/accounts/OAuthLogin Chrome’s internal bootstrap sign-in scope used by the kit to initiate Google relay sessions
User-Agent node, axios/1.15.2, node-fetch/1.0, undici Node.js HTTP client user agents used by the Tier 1 kit relay against Microsoft Entra ID
API Domain api.ipapi.is IP geolocation/ASN lookup service called by the kit to filter out researcher and cloud provider traffic
ASN Alibaba Cloud (and similar cheap-VPS ASNs) Tier 1 kit relay infrastructure used for automated token acquisition and renewal
ASN Clouvider, Host Telecom Cheap hosting ASNs used by kit relay IPs in Google Workspace campaigns
Socket.IO Event recieveid Consistent kit fingerprint (note deliberate typo) used in the WebSocket C2 relay channel
Crypto Key 1234567890123456 Hardcoded AES-CBC key found in kit JavaScript for encrypting collected credentials
Library CryptoJS 4.2.0 JavaScript library bundled in the Google-targeting kit variant for credential encryption
Socket.IO Version Socket.IO 4.6.0 WebSocket C2 library version used in the Google-targeting kit variant
Entra Error Code 53003 Error returned when device code flow is blocked via Conditional Access, confirming successful policy enforcement
Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
Tags
cyber security
cyber security news
Copy URL
Linkedin
Twitter
ReddIt
Telegram
Tushar Subhra Dutta
Tushar is a senior cybersecurity and breach reporter. He specializes in covering cybersecurity news, trends, and emerging threats, data breaches, and malware attacks. With years of experience, he brings clarity and depth to complex security topics.
Trending News
Hackers Use NF-e Invoice Lures to Deliver Banana RAT Through Malicious Batch Files
Anthropic’s Restricted Claude Mythos Moves Toward Public Release via Claude Code and Security
Hackers Hide Linux Payload Under SSH-Like Filename During Package Installation
New GhostTree Attack Causing EDR Products to Hang and Leave Files Unscanned
PyrsistenceSniper – Tool that Detects 117 Persistence Malware Techniques on Windows, Linux, and macOS
Latest News
Cyber Security News
Hackers Push 22 Versions of npm RAT With Wallet Theft and Persistent Backdoor
ANY.RUN
How Top CISOs Increase Risk Visibility for Zero Critical Incidents
Cyber Security News
Hackers Abuse AI Chatbot Recommendations to Push Malicious Software Download Links
Cyber Security
Motorola Phones Preinstalled App Found Hijacking Amazon App to Inject Affiliate Codes
AI
Attackers Can Exploit BadHost to Access Sensitive AI Agent Server Endpoints