Tycoon 2FA is a high-volume adversary-in-the-middle (AiTM) phishing-as-a-service platform that harvests credentials and Microsoft 365 and Gmail session cookies to bypass MFA and enable account takeover. Microsoft and a coalition of private and public partners, including Proofpoint and Europol, disrupted Tycoon 2FA infrastructure, seized 330 control panel domains, and filed a civil lawsuit naming alleged creator Saad Fridi; #Tycoon2FA #SaadFridi
Keypoints
- Tycoon 2FA is an AiTM phishing kit sold as phishing-as-a-service (PhaaS) that intercepts credentials and relays them to legitimate services to capture session cookies and bypass MFA.
- Proofpoint data shows Tycoon 2FA as the highest-volume AiTM phishing threat in their visibility, with over three million messages observed in February 2026.
- The platform has been sold via Telegram since 2023 and is used by multiple threat actors; it supports campaign customization through a control panel and subscription model.
- Attackers distribute Tycoon 2FA via email campaigns using malicious links, QR codes, SVGs, and attachments that redirect victims to actor-controlled landing pages mimicking Microsoft or Google login portals.
- Actors use techniques like “ATO Jumping” (compromising an account to spread phishing URLs) and impersonating target organization Azure AD branding to increase success rates.
- On 4 March 2026, Microsoft and partners disrupted Tycoon 2FA infrastructure, seized 330 control panel domains, and filed a lawsuit naming Saad Fridi; Proofpoint supported the action with campaign and domain data.
MITRE Techniques
- [T1566] Phishing – Tycoon 2FA was “distributed via email campaigns” and uses deceptive messages to trick victims into visiting actor-controlled sites (‘Tycoon 2FA distributed via email campaigns’).
- [T1566.002] Phishing: Link – Emails redirect victims via malicious links and QR codes to actor-controlled landing pages (‘Emails may contain malicious links, QR codes, SVGs, or attachments with URLs’).
- [T1566.001] Phishing: Attachment – Actors used attachments (e.g., PDFs) containing QR codes that led to Tycoon 2FA landing pages (‘PDF attachment containing a QR code leading to Tycoon 2FA’).
- [T1078] Valid Accounts – Threat actors leverage compromised accounts to distribute Tycoon 2FA URLs and expand reach (‘Some Tycoon 2FA users are leveraging “ATO Jumping” whereby the actor compromises an initial email account, uses the compromised sender to broadly distribute Tycoon 2FA URLs’).
- [T1550.003] Use of Web Session Cookie – The kit captures Microsoft 365 and Gmail session cookies to bypass MFA and achieve account takeover (‘harvest usernames, passwords, and Microsoft 365 and Gmail session cookies’).
- [T1557] Adversary-in-the-Middle – Tycoon 2FA operates as an AitM proxy that intercepts credentials and relays them to legitimate services (‘operates as an AitM phishing kit’).
Indicators of Compromise
- [Domains ] control panel and phishing landing pages – 330 control panel domains seized, actor-controlled phishing domains and landing pages (no specific domain strings provided in article).
- [URLs ] phishing redirect targets – actor-controlled URLs that mimic Microsoft/Google login portals, QR-code URLs embedded in PDF attachments leading to Tycoon 2FA pages.
- [Email senders ] sources of campaigns – compromised enterprise email accounts used to distribute Tycoon 2FA, and compromised Gmail addresses used as senders.
- [Attachments / Files ] lure artifacts – PDF attachments containing QR codes, SVG attachments and other files containing URLs that redirect to Tycoon 2FA landing pages.
- [Authentication tokens / Cookies ] harvested credentials – Microsoft 365 session cookies and Gmail session cookies captured and relayed to attackers as part of MFA bypass activity.
Read more: https://www.proofpoint.com/us/blog/threat-insight/disruption-targets-tycoon-2fa-popular-aitm-phaas