The rise of the Tycoon 2FA phishing kit should serve as a global warning siren for every enterprise. This is not a tool for elite hackers. This is a turnkey kit that anyone with a browser can use to bypass the very MFA and auth apps companies depend on. And it is being used at scale.
Over 64,000 attacks have already been tracked this year, many targeting Microsoft 365 and Gmail because those platforms represent the easiest, fastest path into an enterprise.
Phishing as a Service, No Skill Required
Tycoon 2FA’s power comes from removing the need for technical skill. It is Phishing as a Service, fully packaged, polished, and automated. A teenager who cannot write a line of code can deploy it. The kit walks the operator through setup. It provides fake login pages. It spins up reverse proxy servers.
It does all the heavy lifting. The attacker simply sends a link to hundreds of your employees and waits for one to bite.
Real-Time MFA Relay and Total Session Takeover
Once the victim clicks, Tycoon 2FA does the rest. It intercepts usernames and passwords in real time. It captures session cookies. It proxies the MFA flow directly to Microsoft or Google. The victim thinks they are simply passing a security check, but they are authenticating the attacker.
This is the terrifying part. Even well-trained users fall for this because everything looks pixel perfect identical. The pages are dynamic, pulling live responses from legitimate servers.
If Microsoft says enter your code, the page updates instantly. If Google sends a prompt, it appears exactly as expected. There is no visible difference. There is no clue. And there is no way for any legacy MFA or authenticator app to stop it because Tycoon is man in the middle by design.
Built to Evade Detection
... continue reading