Tycoon2FA Operators Resume Cloud Account Phishing After Infrastructure Disruption

Cybercriminals behind Tycoon2FA, a phishing-as-a-service (PhaaS) platform, have resumed targeting cloud accounts with near-full force despite a coordinated law enforcement takedown on March 4, 2026.

Europol, working alongside authorities from six countries, seized 330 domains that formed the backbone of the platform’s infrastructure in what became one of the more visible efforts to disrupt a subscription-based crimeware service.

Yet, within the same day of that announcement, operators had already begun rebuilding their operations, revealing just how resilient this threat has become.

Tycoon2FA first appeared in 2023 as a subscription-based toolkit designed to help cybercriminals bypass multifactor authentication (MFA) protections.

The platform works by using adversary-in-the-middle (AITM) techniques — sitting between a victim and a legitimate login page to intercept live authentication sessions in real time.

By mid-2025, the platform had grown into a dominant force in the phishing landscape, accounting for 62% of all phishing attempts blocked by Microsoft and reportedly sending more than 30 million malicious emails in a single month.

CrowdStrike analysts identified a brief but sharp drop in Tycoon2FA campaign activity immediately following the March 4 takedown, with daily volumes falling to just 25% of pre-disruption levels on March 4 and March 5, 2026.

That temporary decline, however, did not hold. Within days, activity returned to the same levels seen in early 2026, and cloud account compromises resumed at full pace.

Critically, the platform’s tactics, techniques, and procedures (TTPs) showed no meaningful changes after the disruption, suggesting the core service was never fully taken offline.

The March 4 operation was led by Europol’s European Cybercrime Centre (EC3) alongside law enforcement from Latvia, Lithuania, Portugal, Poland, Spain, and the United Kingdom.

The action came several months after law enforcement’s September 2025 targeting of RaccoonO365, which had served as Tycoon2FA’s primary competitor.

No arrests or physical asset seizures connected to Tycoon2FA have been reported as of this writing, a gap that analysts believe has significantly limited the long-term impact of the disruption.

The speed of Tycoon2FA’s recovery points to a broader problem with infrastructure-only takedowns.

When no arrests follow a domain seizure, operators can quickly rebuild using new hosting, fresh domains, and updated IP infrastructure — all without missing much business.

For organizations using Microsoft 365 or Google cloud services, this means the threat has not meaningfully decreased.

Post-Disruption Phishing Tactics

Between March 4 and March 6, 2026, CrowdStrike’s Falcon Complete team responded to at least 30 suspected Tycoon2FA-enabled phishing incidents involving at least 12 decoy and credential-capture pages.

The attack chain followed its established pattern: phishing emails directed victims to fake CAPTCHA pages, session cookies were stolen upon CAPTCHA validation, and an obfuscated JavaScript file was used to proxy the victim’s credentials to a legitimate Microsoft 365 login.

Once credentials and MFA tokens were captured, the Tycoon2FA platform automatically logged into the victim’s Microsoft EntraID account. These automated logins typically used IPv6 addresses linked to Romania-based internet provider M247 Europe SRL.

Operators used generative AI to produce convincing fake websites served to users who fail the platform’s geofencing checks, a step designed to filter out security researchers.

Post-disruption campaigns also used URL shortener services, links inside legitimate presentation platforms, and compromised SharePoint environments from trusted contacts to redirect targets toward Tycoon2FA infrastructure.

Eight of the 11 IPv6 addresses observed during March 2026 were first seen on or after March 1, indicating that threat actors quickly acquired new infrastructure following the takedown.

Organizations should not treat MFA as the final line of defense. Security teams should actively monitor for suspicious inbox rule creation and hidden folder activity in Microsoft Exchange, which are common early signs of business email compromise (BEC) staging.

Employees need consistent training to spot phishing emails routed through trusted platforms or URL shorteners. Enterprises should enforce conditional access policies that flag logins from unusual IPv6 ranges or unexpected geographic locations.

Ongoing monitoring of DNS resolution activity and cloud authentication logs remains critical for early detection of Tycoon2FA-related intrusions.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.