One of the most prolific phishing-as-a-service platforms has been disrupted — and it’s a big deal for anyone running Microsoft 365 or Gmail.

On March 4, 2026, a coordinated public-private action targeting Tycoon 2FA — the most widely used adversary-in-the-middle (AiTM) phishing platform in operation — resulted in infrastructure seizures, domain takedowns, and a civil lawsuit filed against its alleged creator. The action was led by Microsoft and Europol, with support from Proofpoint, Cloudflare, Coinbase, Crowell, eSentire, Health-ISAC, Intel 471, Resecurity, The Shadowserver Foundation, SpyCloud, TrendAI, and law enforcement agencies across Latvia, Lithuania, Portugal, Poland, Spain, and the United Kingdom.

What Is Tycoon 2FA?

Tycoon 2FA is a phishing-as-a-service (PhaaS) kit sold on Telegram since 2023. For a subscription fee, cybercriminals could purchase access to a fully operational phishing infrastructure and customize it for their own campaigns — no advanced technical skills required.

What makes it especially dangerous is its adversary-in-the-middle architecture. Rather than simply stealing passwords, the platform acts as a real-time proxy between the victim and the legitimate login service (Microsoft 365 or Gmail). When a victim enters their credentials, those are transparently relayed to the real site to complete a successful login — prompting an MFA challenge — and the resulting session cookie is captured and handed back to the attacker.

That session cookie is the prize. With it, the attacker can bypass multi-factor authentication entirely and take over the account without ever needing the victim’s password again.

Why This Matters

The numbers are alarming. According to Proofpoint’s threat data:

  • 99% of organizations experienced account takeover attempts in 2025
  • 67% suffered at least one successful account takeover
  • 59% of compromised accounts had MFA enabled — and it didn’t save them

In February 2026 alone, Proofpoint observed over 3 million messages tied to Tycoon 2FA campaigns. According to Microsoft, the platform enabled cybercriminals to breach nearly 100,000 organizations — including schools, hospitals, nonprofits, and government agencies.

This wasn’t niche criminal activity. Tycoon 2FA campaigns targeted virtually every major vertical, appearing in campaigns hitting technology (85%), financial services (84%), healthcare (83%), manufacturing (83%), government (79%), energy (78%), education (75%), and more.

How the Attacks Worked

Tycoon 2FA campaigns were typically distributed through email and were deliberately broad and opportunistic. Attack vectors included:

  • Malicious links embedded in email bodies
  • QR codes embedded in PDF attachments
  • SVG files and attachments containing URLs

In every case, victims were redirected to an attacker-controlled landing page that displayed a CAPTCHA challenge. Solving it brought them to a convincing Microsoft or Google login page — often styled with the target organization’s own Azure Active Directory branding to increase believability.

One particularly effective tactic, called “ATO Jumping,” involved first compromising a legitimate email account, then using that trusted sender identity to distribute Tycoon 2FA links to the victim’s contacts. Receiving a phishing link from someone you know dramatically increases the chance of a click.

A successful compromise could lead to:

  • Theft of financial data, PII, and proprietary business information
  • Full account takeover and access to M365 environments
  • Sale of compromised access to other threat actors
  • Follow-on ransomware deployment

The Takedown

On March 4, 2026, Microsoft seized 330 control panel domains associated with Tycoon 2FA. Europol coordinated law enforcement operations across six countries, resulting in infrastructure seizures and additional operational disruptions. Microsoft and co-plaintiff Health-ISAC also filed a civil lawsuit in the U.S. Southern District of New York against the alleged creator, Saad Fridi, and unnamed associates.

Seized domains displayed a joint seizure splash page from Microsoft, Europol, and the participating law enforcement agencies — a visible signal to the cybercriminal ecosystem that this platform is gone.

Proofpoint played a direct role in the action, providing Microsoft with threat intelligence including malicious domain data and campaign details, and submitting a formal declaration in support of the civil lawsuit. As Proofpoint detailed in their Threat Insight blog, the platform represented the single highest-volume AiTM phishing threat in their visibility.

What This Means for Defenders

The disruption will meaningfully reduce Tycoon 2FA campaign volumes — at least in the near term. But it won’t eliminate AiTM phishing as a threat class. The technique of real-time credential proxying and session cookie hijacking is well-understood, and other kits will fill the gap.

The takeaway for security teams is clear: MFA alone is no longer sufficient protection against credential-based account takeover. Organizations should be evaluating:

  • Phishing-resistant MFA (FIDO2/passkeys) where feasible
  • Conditional access policies that evaluate session risk continuously
  • Account takeover detection tooling that looks for suspicious post-authentication behavior
  • Email security controls that can identify QR code abuse, malicious PDFs, and compromised sender accounts

The Tycoon 2FA disruption is a win. But the underlying threat — attackers treating MFA as a problem already solved — isn’t going anywhere.

For full technical details including campaign indicators and infrastructure analysis, see the Proofpoint Threat Insight report.