Microsoft and Europol Take Down Tycoon 2FA Phishing Kit Used in Global Cyber Attacks - cyberpress.org

Microsoft and Europol Take Down Tycoon 2FA Phishing Kit Used in Global Cyber Attacks By AnuPriya March 5, 2026 Categories: Cyber Security NewsCybersecurity Discover more Email Chips & Processors Computer Security Microsoft, Europol, and a coalition of industry partners have dismantled the Tycoon 2FA Phishing-as-a-Service (PhaaS) platform, a major adversary-in-the-middle (AiTM) operation that bypassed multi-factor authentication (MFA) for over 96,000 victims worldwide. ComputerSecurity Active since August 2023, this cybercrime service enables low-skilled attackers to steal credentials and session cookies in real time, targeting Microsoft 365 and Google accounts. Sold on Telegram for about $120, it fueled tens of millions of phishing emails monthly at its peak in 2025. Tycoon drove 62% of phishing blocked by Microsoft. The takedown, backed by a U.S. court order and a $10 million civil complaint from Health-ISAC, seized 330 domains and servers across Europe. This borderless threat hit critical sectors hard, compromising hospitals, schools, and universities. Attackers paired Tycoon with services like RedVDS for mass campaigns, delaying patient care and disrupting education. Primary operator Saad Fridi, linked to Pakistan, ran it like a business with partners on marketing and support. Evidence shows ties to RaccoonO365 operators. Anatomy and Attribution Tycoon 2FA captured live sessions to dodge MFA, making it ideal for impersonation attacks. Here’s a breakdown: Threat Detail Description Threat Name Tycoon 2FA (Tycoon2FA) Attack Type Phishing-as-a-Service (PhaaS), AiTM, MFA Bypass Primary Operator Saad Fridi (Pakistan-attributed) Active Timeline August 2023 – March 2026 Victimology 96,000+ orgs (healthcare, education) Scale >500,000 targets/month; 62% of MS-blocked phishing TrendAI sparked the probe, with Proofpoint, Intel 471, and eSentire sharing telemetry. Cloudflare killed servers, Coinbase tracked crypto, and Shadowserver alerted 200+ CERTs. ComputerSecurity Law enforcement in the UK, Spain, Poland, Latvia, Lithuania, and Portugal seized infrastructure under Europol’s CIEP. The operation required a rare public-private sync. As attackers regroup, orgs must act fast. Mitigation Strategy Key Actions Authentication Use phishing-resistant MFA like FIDO2 keys Session Control Set short session lifetimes; enable continuous access checks Threat Intelligence Deploy Tycoon IOCs in network defenses Monitoring Train on AiTM reverse proxies; scan for stolen tokens Harden identity now stolen, sessions linger. This win slows the PhaaS economy but demands vigilance. Follow us on Google News , LinkedIn and X to Get More Instant Updates. Set Cyberpress as a Preferred Source in Google. Share Facebook Twitter Pinterest WhatsApp AnuPriya Any Priya is a cybersecurity reporter at Cyber Press, specializing in cyber attacks, dark web monitoring, data breaches, vulnerabilities, and malware. She delivers in-depth analysis on emerging threats and digital security trends. Recent Articles Critical Laravel Livewire RCE Flaw Exploited to Steal Credentials From 6,000+ Apps Cyber Security News June 24, 2026 Microsoft Teams Phishing Lures Push Victims Toward Remote Access Tool Installation Cyber Security News June 24, 2026 Grafana Confirms TanStack npm Supply Chain Ransom Incident Hit GitHub Environment Cyber Security News June 24, 2026 Woodgnat Uses ClickFix, FileFix, and CrashFix Lures to Deliver Remote Access Malware Cyber Security News June 24, 2026 Android Malware Disguised as Document Reader Reaches 100K Downloads on Google Play Android June 24, 2026 Discover more email Enterprise Technology Hacking & Cracking Related Stories Cyber Security News Critical Laravel Livewire RCE Flaw Exploited to Steal Credentials From 6,000+ Apps Lucas Martin - June 24, 2026 Cyber Security News Microsoft Teams Phishing Lures Push Victims Toward Remote Access Tool Installation Varshini - June 24, 2026 Cyber Security News Grafana Confirms TanStack npm Supply Chain Ransom Incident Hit GitHub Environment Lucas Martin - June 24, 2026 Cyber Security News Woodgnat Uses ClickFix, FileFix, and CrashFix Lures to Deliver Remote Access Malware Varshini - June 24, 2026 Android Android Malware Disguised as Document Reader Reaches 100K Downloads on Google Play Varshini - June 24, 2026 Cyber Security News Hackers Use Fake Outlook Update Portal to Deploy Edgecution Browser-Based Backdoor Varshini - June 24, 2026 LEAVE A REPLY Comment: Name:* Email:* Website: