TTPwire Vol. 1 · MITRE ATT&CK·Tagged

← All stories

Microsoft Threat Intelligence

Inside Tycoon2FA: How a leading AiTM phishing kit operated at scale

Microsoft Threat Intelligence and Microsoft Defender Security Research Team · 2026-03-04 · Read original ↗

ATT&CK techniques detected

49 predictions
T1566.002Spearphishing Link
99%
"links on click. safe links provides url scanning and rewriting of inbound email messages in mail flow, and time - of - click verification of urls and links in email messages, other microsoft 365 applications such as teams, and other locations such as sharepoint online. safe links…"
T1566.002Spearphishing Link
99%
"in page with aitm relay, and authentication relay culminating in token theft. tycoon2fa phishing emails in observed campaigns, threat actors gained initial access through phishing emails that used either embedded links or malicious attachments. most of tycoon2fa ’ s lures fell in…"
T1583.001Domains
98%
"s adoption across a wide range of campaigns. tycoon2fa infrastructure tycoon2fa ’ s infrastructure has shifted from static, high - entropy domains to a fast - moving ecosystem with diverse top - level domains ( tlds ) and short - lived ( often 24 - 72 hours ) fully qualified doma…"
T1566.002Spearphishing Link
98%
"inside tycoon2fa : how a leading aitm phishing kit operated at scale following its emergence in august 2023, tycoon2fa rapidly became one of the most widespread phishing - as - a - service ( phaas ) platforms, enabling campaigns responsible for tens of millions of phishing messag…"
T1566.002Spearphishing Link
97%
"or javascript. this blog provides a comprehensive up - to - date analysis of tycoon2fa ’ s progression and scale. we share specific examples of the tycoon2fa service panel, including a detailed analysis of tycoon2fa infrastructure. defending against tycoon2fa and similar aitm phi…"
T1556.006Multi-Factor Authentication
96%
", tycoon2fa posed a persistent and significant threat to both consumer and enterprise accounts, especially those that rely on mfa as a primary safeguard. mitigation and protection guidance mitigating threats from phishing actors begins with securing user identity by eliminating t…"
T1566.002Spearphishing Link
95%
"click and microsoft entra id protection risky sign - ins signal. possible aitm phishing attempt risky sign - in attempt after clicking a possible aitm phishing url microsoft security copilot microsoft security copilot is embedded in microsoft defender and provides security teams …"
T1111Multi-Factor Authentication Interception
93%
"the page might even include company branding to enhance legitimacy. when the user submitted credentials, tycoon2fa immediately relayed them to the real service, triggering the genuine mfa challenge. the phishing page then displayed the same mfa prompt ( for example, number matchi…"
T1566.002Spearphishing Link
92%
"##coon2fa is operated through a web ‑ based administration panel provided on a per user basis that centrally integrates all functionality provided by the tycoon 2fa phaas platform. the panel serves as a single dashboard for configuring, tracking, and refining campaigns. while it …"
T1556.006Multi-Factor Authentication
83%
"the page might even include company branding to enhance legitimacy. when the user submitted credentials, tycoon2fa immediately relayed them to the real service, triggering the genuine mfa challenge. the phishing page then displayed the same mfa prompt ( for example, number matchi…"
T1111Multi-Factor Authentication Interception
81%
"es / cgyp9! cbhsu22yt2 / some subdomains resembled everyday processes or tech terms like cloud, desktop, application, and survey, while others echoed developer or admin vocabulary like python, terminal, xml, and faq. software as a service ( saas ) brand names have appeared in sub…"
T1583.001Domains
81%
"or months, but nearly all campaign - specific fqdns were temporary. the rapid turnover complicated detection efforts, such as building reliable blocklists or relying on reputation - based defenses. subdomain patterns have also shifted toward more readable formats. instead of high…"
T1621Multi-Factor Authentication Request Generation
80%
"the page might even include company branding to enhance legitimacy. when the user submitted credentials, tycoon2fa immediately relayed them to the real service, triggering the genuine mfa challenge. the phishing page then displayed the same mfa prompt ( for example, number matchi…"
T1621Multi-Factor Authentication Request Generation
79%
"es / cgyp9! cbhsu22yt2 / some subdomains resembled everyday processes or tech terms like cloud, desktop, application, and survey, while others echoed developer or admin vocabulary like python, terminal, xml, and faq. software as a service ( saas ) brand names have appeared in sub…"
T1566.002Spearphishing Link
79%
"campaign operators can choose from highly configurable landing pages and sign - in themes that impersonate widely trusted services such as microsoft 365, outlook, sharepoint, onedrive, and google, increasing the perceived legitimacy of attacks. campaign operators can also configu…"
T1528Steal Application Access Token
74%
". microsoft defender coordinates detection, prevention, investigation, and response across endpoints, identities, email, apps to provide integrated protection against attacks like the threat discussed in this blog. customers with provisioned access can also use microsoft security…"
T1598Phishing for Information
71%
"in page with aitm relay, and authentication relay culminating in token theft. tycoon2fa phishing emails in observed campaigns, threat actors gained initial access through phishing emails that used either embedded links or malicious attachments. most of tycoon2fa ’ s lures fell in…"
T1566.002Spearphishing Link
66%
"templates, email distribution was not provided by the service. defense evasion from a defense standpoint, tycoon2fa stood out for its continuously updated evasion and attack techniques. a defining feature was the use of constantly changing custom captcha pages that regenerated fr…"
T1556.006Multi-Factor Authentication
63%
"and thoroughly. the following are recommended remediation steps for each affected identity : reset credentials – immediately reset the account ’ s password and revoke any active sessions or tokens. this ensures that any stolen credentials can no longer be used. re - register or r…"
T1566.002Spearphishing Link
62%
"of tycoon2fa ’ s infrastructure and operations. behind the takedown how a global coalition disrupted tycoon2fa tycoon2fa ’ s platform enabled threat actors to impersonate trusted brands by mimicking sign - in pages for services like microsoft 365, onedrive, outlook, sharepoint, a…"
T1566.002Spearphishing Link
59%
"sign - in | where risklevelduringsignin in ( 50, 100 ) | where clientappused = = " browser " | where isempty ( devicetrusttype ) | where isnotempty ( state ) or isnotempty ( country ) or isnotempty ( city ) | where isnotempty ( ipaddress ) | where isnotempty ( accountobjectid ) |…"
T1621Multi-Factor Authentication Request Generation
56%
". recent changes combined these redirect chains with encoded uniform resource identifier ( uri ) strings that obscured full url paths and landing points, frustrating both static url extraction and detonation attempts. stacked together, these tactics made tycoon2fa a resilient, fa…"
T1566.002Spearphishing Link
55%
"es / cgyp9! cbhsu22yt2 / some subdomains resembled everyday processes or tech terms like cloud, desktop, application, and survey, while others echoed developer or admin vocabulary like python, terminal, xml, and faq. software as a service ( saas ) brand names have appeared in sub…"
T1566.002Spearphishing Link
51%
"the page might even include company branding to enhance legitimacy. when the user submitted credentials, tycoon2fa immediately relayed them to the real service, triggering the genuine mfa challenge. the phishing page then displayed the same mfa prompt ( for example, number matchi…"
T1598.002Spearphishing Attachment
51%
"in page with aitm relay, and authentication relay culminating in token theft. tycoon2fa phishing emails in observed campaigns, threat actors gained initial access through phishing emails that used either embedded links or malicious attachments. most of tycoon2fa ’ s lures fell in…"
T1566.002Spearphishing Link
51%
"networkmessageid references tycoon 2fa malware analysis, overview by any. run learn more for the latest security research from the microsoft threat intelligence community, check out the microsoft threat intelligence blog. to get notified about new publications and to join discuss…"
T1556.006Multi-Factor Authentication
50%
"es / cgyp9! cbhsu22yt2 / some subdomains resembled everyday processes or tech terms like cloud, desktop, application, and survey, while others echoed developer or admin vocabulary like python, terminal, xml, and faq. software as a service ( saas ) brand names have appeared in sub…"
T1111Multi-Factor Authentication Interception
49%
". recent changes combined these redirect chains with encoded uniform resource identifier ( uri ) strings that obscured full url paths and landing points, frustrating both static url extraction and detonation attempts. stacked together, these tactics made tycoon2fa a resilient, fa…"
T1098.002Additional Email Delegate Permissions
48%
"and thoroughly. the following are recommended remediation steps for each affected identity : reset credentials – immediately reset the account ’ s password and revoke any active sessions or tokens. this ensures that any stolen credentials can no longer be used. re - register or r…"
T1566.002Spearphishing Link
48%
". recent changes combined these redirect chains with encoded uniform resource identifier ( uri ) strings that obscured full url paths and landing points, frustrating both static url extraction and detonation attempts. stacked together, these tactics made tycoon2fa a resilient, fa…"
T1598Phishing for Information
47%
"networkmessageid references tycoon 2fa malware analysis, overview by any. run learn more for the latest security research from the microsoft threat intelligence community, check out the microsoft threat intelligence blog. to get notified about new publications and to join discuss…"
T1556.006Multi-Factor Authentication
45%
". recent changes combined these redirect chains with encoded uniform resource identifier ( uri ) strings that obscured full url paths and landing points, frustrating both static url extraction and detonation attempts. stacked together, these tactics made tycoon2fa a resilient, fa…"
T1111Multi-Factor Authentication Interception
45%
"inside tycoon2fa : how a leading aitm phishing kit operated at scale following its emergence in august 2023, tycoon2fa rapidly became one of the most widespread phishing - as - a - service ( phaas ) platforms, enabling campaigns responsible for tens of millions of phishing messag…"
T1598.003Spearphishing Link
43%
"in page with aitm relay, and authentication relay culminating in token theft. tycoon2fa phishing emails in observed campaigns, threat actors gained initial access through phishing emails that used either embedded links or malicious attachments. most of tycoon2fa ’ s lures fell in…"
T1557Adversary-in-the-Middle
42%
". beyond campaign configuration, the panel provides detailed visibility into victim interaction and authentication outcomes. operators can track valid and invalid sign - in attempts, mfa usage, and session cookie capture, with victim data organized by attributes such as targeted …"
T1557Adversary-in-the-Middle
42%
"of tycoon2fa ’ s infrastructure and operations. behind the takedown how a global coalition disrupted tycoon2fa tycoon2fa ’ s platform enabled threat actors to impersonate trusted brands by mimicking sign - in pages for services like microsoft 365, onedrive, outlook, sharepoint, a…"
T1557.001Name Resolution Poisoning and SMB Relay
42%
"at least one defender xdr product ) to get the most up - to - date information about the threat actor, malicious activity, and techniques discussed in this blog. these reports provide intelligence, protection information, and recommended actions to prevent, mitigate, or respond t…"
T1566.002Spearphishing Link
42%
"sites, and sites that host malware. turn on cloud - delivered protection in microsoft defender antivirus or the equivalent for your antivirus product to cover rapidly evolving attack tools and techniques. cloud - based machine learning protections block a majority of new and unkn…"
T1566.002Spearphishing Link
38%
"at least one defender xdr product ) to get the most up - to - date information about the threat actor, malicious activity, and techniques discussed in this blog. these reports provide intelligence, protection information, and recommended actions to prevent, mitigate, or respond t…"
T1586.002Email Accounts
38%
"and thoroughly. the following are recommended remediation steps for each affected identity : reset credentials – immediately reset the account ’ s password and revoke any active sessions or tokens. this ensures that any stolen credentials can no longer be used. re - register or r…"
T1557Adversary-in-the-Middle
37%
"the page might even include company branding to enhance legitimacy. when the user submitted credentials, tycoon2fa immediately relayed them to the real service, triggering the genuine mfa challenge. the phishing page then displayed the same mfa prompt ( for example, number matchi…"
T1557.001Name Resolution Poisoning and SMB Relay
36%
"of tycoon2fa ’ s infrastructure and operations. behind the takedown how a global coalition disrupted tycoon2fa tycoon2fa ’ s platform enabled threat actors to impersonate trusted brands by mimicking sign - in pages for services like microsoft 365, onedrive, outlook, sharepoint, a…"
T1566.002Spearphishing Link
34%
"and adjusting page behavior if detected. these evasive measures included : intercepting user inputkeystroke monitoring blocking copy / paste and right click functions detecting or blocking automated inspectionautomation tools ( for example, phantomjs, burp suite ) disabling commo…"
T1566Phishing
34%
"templates, email distribution was not provided by the service. defense evasion from a defense standpoint, tycoon2fa stood out for its continuously updated evasion and attack techniques. a defining feature was the use of constantly changing custom captcha pages that regenerated fr…"
T1557Adversary-in-the-Middle
32%
"inside tycoon2fa : how a leading aitm phishing kit operated at scale following its emergence in august 2023, tycoon2fa rapidly became one of the most widespread phishing - as - a - service ( phaas ) platforms, enabling campaigns responsible for tens of millions of phishing messag…"
T1539Steal Web Session Cookie
31%
". microsoft defender coordinates detection, prevention, investigation, and response across endpoints, identities, email, apps to provide integrated protection against attacks like the threat discussed in this blog. customers with provisioned access can also use microsoft security…"
T1586.002Email Accounts
31%
"##coon2fa is operated through a web ‑ based administration panel provided on a per user basis that centrally integrates all functionality provided by the tycoon 2fa phaas platform. the panel serves as a single dashboard for configuring, tracking, and refining campaigns. while it …"
T1598Phishing for Information
31%
"or javascript. this blog provides a comprehensive up - to - date analysis of tycoon2fa ’ s progression and scale. we share specific examples of the tycoon2fa service panel, including a detailed analysis of tycoon2fa infrastructure. defending against tycoon2fa and similar aitm phi…"
T1556.006Multi-Factor Authentication
31%
". beyond campaign configuration, the panel provides detailed visibility into victim interaction and authentication outcomes. operators can track valid and invalid sign - in attempts, mfa usage, and session cookie capture, with victim data organized by attributes such as targeted …"

Summary

Tycoon2FA has become a leading phishing-as-a-service (PhaaS) platforms, enabling campaigns that reach over 500,000 organizations monthly, prompting Microsoft’s Digital Crimes Unit (DCU) to work with Europol and industry partners to facilitate a disruption of Tycoon2FA’s infrastructure and operations.

The post Inside Tycoon2FA: How a leading AiTM phishing kit operated at scale appeared first on Microsoft Security Blog.