The Rise of Tycoon2FA: Analyzing the Largest AiTM Phishing-as-a-Service Platform
Executive Summary
The cybercriminal ecosystem is defined by the rapid commoditization of attack tools. The emergence of Tycoon2FA in August 2023 marked a significant shift in the landscape of credential theft. Developed and operated by the threat actor tracked by Microsoft as Storm-1747, Tycoon2FA rapidly ascended to become one of the most widespread Phishing-as-a-Service (PhaaS) platforms in operation.
By leveraging Adversary-in-the-Middle (AiTM) capabilities, Storm-1747 enabled even novice threat actors to bypass Multifactor Authentication (MFA). This capability lowered the barrier to entry for large-scale credential harvesting campaigns. Reports indicate that campaigns leveraging Tycoon2FA generated tens of millions of phishing messages, targeting over 500,000 organizations globally across nearly every sector, including education, healthcare, finance, and government. In a coordinated effort with Europol and industry partners, Microsoft’s Digital Crimes Unit (DCU) facilitated the disruption of the platform’s infrastructure. However, understanding the operational mechanics of Tycoon2FA remains critical for security professionals tasked with defending against its persistence.
Threat Analysis
Tycoon2FA operates as a sophisticated phishing kit that mimics legitimate login portals, such as Microsoft 365, OneDrive, Outlook, and Gmail. Unlike standard phishing pages that simply capture credentials, Tycoon2FA employs an Adversary-in-the-Middle (AiTM) architecture. This allows the attacker to capture user session cookies, effectively granting them access to user accounts even after the victim changes their password, provided the attacker does not explicitly revoke the active session token.
Operational Mechanics
The attack workflow typically follows these steps:
Deception: The victim is lured to a spoofed login page hosted on a Tycoon2FA-controlled domain.
Credential Capture: The victim enters their username and password.
MFA Relay: The victim enters their MFA code. Tycoon2FA intercepts this code and forwards it to the legitimate authentication server via a proxy.
Session Hijacking: Once the server validates the credentials and MFA, it issues a valid session cookie. Tycoon2FA captures this cookie and stores it in its database.
Persistence: The attacker is then redirected to the legitimate application with the stolen session cookie. They have full access to the victim's data without needing the password.
This mechanism bypasses the primary defense of modern enterprise security: MFA. Additionally, Tycoon2FA utilized anti-bot screening and browser fingerprinting techniques to evade automated detection systems, ensuring the malicious pages remained live longer and captured higher-quality leads.
MITRE ATT&CK Mapping
Tycoon2FA's tactics align closely with several techniques within the MITRE ATT&CK framework:
T1566.001 (Phishing: Spearphishing Link): The core vector involves crafting deceptive links to impersonate trusted brands.
T1110.001 (Brute Force: Password Spraying): While Tycoon2FA is not a brute force tool, the platform often facilitates campaigns that utilize credential stuffing techniques against the harvested data.
T1546.004 (Windows Event Log Scripting Modification): Post-compromise, attackers often manipulate logs; Tycoon2FA’s ability to access accounts allows for lateral movement and log tampering.
T1574.003 (DLL Search Order Hijacking) / T1059.001 (Command and Shell: PowerShell): While not explicitly detailed in the source, persistence via stolen session tokens often leads to script execution within the victim's environment, a common follow-up for PhaaS kits.
Disruption and Motivation
The popularity of Tycoon2FA was likely fueled by the takedowns of previous PhaaS leaders like Caffeine and RaccoonO365. Storm-1747 filled the void, offering a reliable, scalable infrastructure. The recent disruption by Microsoft and Europol highlights the difficulty of dismantling these services, as they often rely on decentralized infrastructure and resiliency to remain operational.
Indicators of Compromise (IOCs)
Based on the Microsoft Threat Intelligence report and SecLookup's telemetry, the following domains and URLs are confirmed malicious. These infrastructure components were used to host phishing pages, relay MFA codes, and store stolen credentials.
Malicious Domains
qonnfp.wnrathttb[.]ru
q9y3.efwzxgd[.]es
astro.thorousha[.]ru
mock.zuyistoo[.]today
kzagniw[.]es
mysql.vecedoo[.]online
piwf.ariitdc[.]es
backend.vmfuiojitnlb[.]es
SecLookup Detection
SecLookup’s threat intelligence platform was actively detecting and blocking this threat. As soon as these domains and URL patterns were identified within the Microsoft Threat Intelligence ecosystem, SecLookup’s automated ruleset was updated to flag and block traffic destined for these hosts.
SecLookup users are currently protected against:
Direct access to malicious domains (
*.wnrathttb.ru,*.efwzxgd.es, etc.).Phishing URLs containing the encoded email placeholders (e.g.,
/*EMAIL_ADDRESS).Traffic destined to the backend proxies used for MFA relay.
Users should ensure their SecLookup blocks are up-to-date to prevent any residual access to these infrastructure elements.
Recommendations
To defend against sophisticated AiTM phishing kits like Tycoon2FA, organizations must move beyond simple password hygiene and adopt a defense-in-depth strategy.
Monitor for Session Persistence: Since Tycoon2FA captures valid session cookies, monitor for login activity from unusual geographic locations or at odd hours immediately following a password reset or user flagging.
Implement Conditional Access Policies: Enforce policies that require risk assessment before granting access. For example, block access from unrecognized devices or locations, even if MFA is present.
Review User Training: Educate users on the nuances of AiTM attacks. Users should be wary of URL discrepancies and should verify the domain authenticity before entering credentials.
Leverage Phishing Detection Tools: Deploy solutions that inspect email links and URLs before they reach the inbox, specifically targeting the obfuscated domains and URL structures used by these kits.
References
- Inside Tycoon2FA: How a leading AiTM phishing kit operated at scale by Microsoft Threat Intelligence and Microsoft Defender Security Research Team, Microsoft Security Blog (March 4, 2026)
