A powerful phishing kit known as Tycoon 2FA has established itself as one of the most consequential phishing threats active today. The kit operates as a Phishing-as-a-Service (PhaaS) platform, meaning cybercriminals can rent and deploy it without building anything from scratch. Its primary goal is to steal authenticated session tokens from Microsoft 365 and Google Workspace accounts by sitting silently between the victim and the real login page.
What makes Tycoon 2FA especially dangerous is that it defeats multi-factor authentication entirely. At its peak, the kit accounted for roughly 62% of phishing attempts blocked by Microsoft, hitting over 500,000 organizations every single month. Microsoft’s threat intelligence team attributed the campaign to a threat actor tracked as Storm-1747, and the kit currently sits at the top of ANY.RUN’s malware trends tracker.
How Tycoon 2FA Bypasses MFA
Tycoon 2FA does not steal credentials the old-fashioned way. Instead, it acts as a reverse proxy, standing between the victim and the real Microsoft or Google login page and relaying everything in real time. The victim completes their MFA challenge normally, never knowing the kit intercepted the session token the moment it was issued.
The attack begins with a phishing email carrying a link or QR code embedded in a PDF, SVG, HTML, or PowerPoint file. The link routes through a multi-layer redirect chain before landing on a pixel-perfect replica of the target login page, often loaded with the victim’s organization branding. Once the victim finishes MFA, the kit captures the session cookie and hands it to the attacker, who can then access the account without any further prompts.
Analysts at Elastic Security Labs identified that the kit uses two structural variants:
- WebSocket-based session relay — targeting Microsoft Entra ID and Microsoft 365
- Device-code-grant abuse — targeting Google Workspace environments
Evasion and Post-Compromise Persistence
Tycoon 2FA is built to survive incident response. The kit can register a rogue device in Entra ID, obtaining a primary refresh token (PRT) that stays valid even after a defender revokes the compromised user’s sessions. This means the standard “revoke sessions and reset password” playbook is no longer enough to fully contain a Tycoon 2FA compromise.
Beyond persistence, the kit takes extreme steps to avoid analysis:
- Filters visitors from cloud and hosting IP ranges
- Blocks developer tools and automation frameworks
- Removes its own malicious code from the page after execution
- Delivers uniquely encrypted payloads seeded with per-session values, making signature-based detection nearly impossible
Even a coordinated March 2026 takedown led by Microsoft and Europol, which seized over 300 domains, could not stop the campaign for long. Operators bounced back within weeks, adapting their infrastructure and blending their methods with OAuth Device Code phishing flows.
Defenses That Work
Organizations relying solely on traditional MFA are not protected against this threat. Elastic Security Labs recommends the following countermeasures:
- Deploy phishing-resistant MFA such as FIDO2 security keys or passkeys — these are the only methods immune to AiTM session theft
- Enforce device compliance through Conditional Access
- Block device code flows for all users except approved scenarios
- Enable token protection to bind tokens to specific devices
- Carefully enumerate and delete registered devices before revoking sessions to fully break the device-PRT persistence chain
Defenders must monitor for unexpected device registrations, sign-ins from unusual IP ranges (particularly cheap VPS providers), and the Socket.IO event name recieveid — a consistent kit fingerprint (note the deliberate typo) in WebSocket C2 relay channels.