The Tycoon2FA phishing-as-a-service platform disrupted by Europol and Microsoft on March 4 briefly saw activity fall after 330 domains were seized, but it returned to previous operational volumes within days. CrowdStrike reported daily campaign volumes dropped to about 25% on March 4–5 before rebounding to early 2026 levels, with the service continuing to target Microsoft 365 and Gmail accounts for BEC and cloud takeovers. #Tycoon2FA #Microsoft365
Keypoints
- Microsoft-led action seized 330 domains tied to Tycoon2FA’s control panels and phishing pages on March 4.
- CrowdStrike observed a short-term drop to ~25% of pre-disruption volumes, but activity returned to normal within days.
- Tycoon2FA is a PhaaS that uses adversary-in-the-middle techniques to bypass 2FA and targets Microsoft 365 and Gmail.
- The platform supports BEC, email thread hijacking, cloud account takeovers, and distribution via malicious URLs, shorteners, and compromised or legitimate redirecting sites.
- Without arrests or physical seizures, operators rapidly replace infrastructure, keeping the service viable while demand in the phishing ecosystem persists.