Skip to content
Tech News
← Back to articles

Tycoon2FA phishing platform returns after recent police disruption

2026-03-23 | original
read original more articles
Why This Matters

The resurgence of the Tycoon2FA phishing platform highlights the persistent and adaptive nature of cybercriminal operations targeting cloud accounts and email services. Despite law enforcement efforts to disrupt its infrastructure, the platform quickly resumed malicious activities, underscoring the challenges in combating sophisticated phishing-as-a-service operations and the ongoing threat to consumers and organizations alike.

Key Takeaways

The Tycoon2FA phishing-as-a-service (PhaaS) platform that Europol and partners disrupted on March 4 has already returned to previously observed activity levels.

Microsoft led the technical disruption, which involved seizing 330 domains part of Tycoon2FA’s backbone infrastructure that included control panels and phishing pages used in attacks.

However, the disruption caused by the law enforcement was short-lived, as CrowdStrike noticed the cybercrime service return to normal operational volumes within days.

“Falcon Complete observed a short-term decrease in the volume of Tycoon2FA campaign activity following the takedown, with daily volumes on March 4 and March 5, 2026, reducing to 25% of pre-disruption levels,” reads CrowdStrike’s report.

“However, this volume subsequently returned to pre-disruption levels, with daily levels of cloud compromise active remediations returning to early 2026 levels.”

First documented by Sekoia roughly two years ago, Tycoon2FA appeared online as a PhaaS platform dedicated to targeting Microsoft 365 and Gmail accounts, featuring adversary-in-the-middle mechanisms that enable bypassing two-factor authentication (2FA) protections.

A month later, Trustwave reported that Tycoon2FA’s operators were actively improving the platform, adding new, advanced features, and enticing more cybercriminals to purchase access.

Tycoon2FA is a significant actor on the phishing scene, with Microsoft reporting that it generated 30 million phishing emails per month, accounting for 62% of all emails blocked by the tech giant.

According to CrowdStrike, Tycoon2FA is back in business using largely unchanged techniques, tactics, and procedures (TTPs), and supported a diverse set of illegal activities, like business email compromise (BEC), email thread hijacking, cloud account takeovers, and malicious SharePoint links.

After the disruption action, Tycoon2FA has been used in malicious email campaigns that relied on malicious URLs and shortener services, legitimate platforms such as presentation tools, where redirection mechanisms are abused, and also compromised domains.

... continue reading

Explore topics: tycoon2fa europol microsoft phishing gmail
Related:
Microsoft stock may be in a slump. But here’s why it is wrong to give up now
Microsoft blocks registry trick that unlocked performance-boosting native NVMe driver on Windows 11 — workarounds still exist to enable support, however
Protect Your PC With Windows 11 Pro—Now $13
Elizabeth Warren calls Pentagon’s decision to bar Anthropic ‘retaliation’
Attackers Hide Infostealer in Copyright Infringement Notices

© 2026 GoKawiil

About | Editorial Policy | Contact