Tycoon 2FA accounted for around 62pc of all phishing attempts blocked by Microsoft by mid-2025.
A joint cybersecurity operation has disrupted one of the world’s largest phishing-as-a-service platforms, called ‘Tycoon 2FA’ and used to bypass multi-factor authentication (MFA) and hack user accounts.
The operation was coordinated by Europol’s European Cybercrime Centre, while technical disruption was led by Microsoft. Participating industry partners also included Cloudflare, Coinbase, Proofpoint and Esentire, among others.
Japanese cybersecurity firm Trend Micro shared intelligence that allowed the investigation to initiate, Europol noted. Law enforcement authorities from several European countries, including Spain and the UK, also participated.
Tycoon 2FA provided cybercriminals with a subscription-based toolkit that intercepted live authentication sessions to gain unauthorised access to online accounts, including those that were protected by additional security layers.
The platform has been active since at least 2023, according to Europol, and enabled “thousands” of cybercriminals to access email and cloud-based service accounts. Experts determined that the platform generated “tens of millions” of phishing emails each month, attempting to gain access to nearly 100,000 organisations globally, including schools, hospitals and public institutions.
“Campaigns leveraging Tycoon 2FA have appeared across nearly all sectors including education, healthcare, finance, non-profit and government,” said Microsoft.
“Its rise in popularity among cybercriminals likely stemmed from disruptions of other popular phishing services”, it noted.
Tycoon 2FA accounted for around 62pc of all phishing attempts blocked by Microsoft by mid-2025. Its platform enabled threat actors to impersonate trusted brands by copying sign-in pages for services including Microsoft’s own 365 and OneDrive, and Gmail. It also allowed criminals to access sensitive information even after passwords were reset.
Targets were lured through phishing emails containing attachments with svg, pdf, html or docx files, often embedded with QR codes or JavaScript. To evade detection, the platform used techniques such as anti-bot screening, browser fingerprinting and self-hosted Captchas.
The joint industry and law enforcement operation led to the disruption of 330 domains that formed the core infrastructure of the criminal service, including phishing pages and control panels.
However, Microsoft pointed out that Tycoon 2FA illustrates the “evolution of phishing kits in response to rising enterprise defences”. The platform shows how cybercriminals adapt lures, infrastructure and evasion techniques to stay ahead of detection.
Recently, Google and iVerify highlighted the existence of a hacking mechanism, with suspected US origins, now used by bad actors to infiltrate outdated iPhones.
Meanwhile, Amazon last month highlighted how commercial AI is being used by less technically savvy cybercriminals to scale cyberattacks on enterprises.
Don’t miss out on the knowledge you need to succeed. Sign up for the Daily Brief, Silicon Republic’s digest of need-to-know sci-tech news.