Tycoon 2FA is the dominant phishing-as-a-service platform in the world — responsible for an estimated 44.5% of all credential theft attacks globally in 2025, commanding an 89% share of the AiTM PhaaS market. Its singular innovation: it doesn’t just steal passwords. It intercepts fully authenticated sessions after MFA has been completed — making your multi-factor authentication irrelevant.
By placing a reverse proxy between the victim and the legitimate login service, Tycoon 2FA captures the session token issued once the user has passed their MFA challenge. One-time passcodes, push notifications, SMS codes — none of them help. In nine months of tracking, Group-IB linked the platform to 77,000+ compromised accounts across more than 10,000 unique corporate email domains.
The PhaaS model is what makes this threat so structurally dangerous. Tycoon 2FA’s developers maintain and update the kit; affiliates purchase access and run campaigns without needing to understand the technical mechanics. It mirrors legitimate SaaS businesses: tiered pricing, customer support, product updates. The result is enterprise-grade MFA bypass in the hands of operators who previously lacked the technical capacity to execute it. According to Group-IB’s HTCT 2025/2026 report, the number of active AiTM-capable PhaaS platforms doubled year-on-year.
Key Numbers:
— 44.5% of all credential theft attacks globally in 2025
— 89% share of the AiTM PhaaS market
— 77,000+ compromised accounts in the tracked period
— 10,000+ unique corporate email domains affected
— AiTM PhaaS platforms doubled in number between 2023 and 2024
Global — English-speaking markets and EU primary; geofencing configurations enable per-campaign geographic customization
Platform-wide campaigns targeting Microsoft 365 environments across financial services, healthcare, government, and technology sectors globally — responsible for nearly half of all credential theft attacks tracked by Group-IB.
The core mechanism is an adversary-in-the-middle (AiTM) reverse proxy deployed between the victim’s browser and the legitimate identity provider — most commonly Microsoft 365.
When a victim enters credentials and completes their MFA challenge on what appears to be a real login page, the proxy forwards those credentials in real time. The legitimate service responds with an MFA challenge, which the proxy passes back to the victim. Once the victim completes MFA, the session cookie or OAuth token is intercepted by the proxy and forwarded to the attacker. The attacker never needs the victim’s password or second factor — they obtain a fully authenticated session token and use it directly to access the account from their own device.
Kit Components:
Core infrastructure sitting between victim and legitimate auth service; intercepts fully authenticated session tokens after MFA completion
Pre-built high-fidelity replicas of Microsoft 365 and other brand login pages matching logos, fonts, and layout
Captures OAuth tokens, session cookies, and authentication artifacts
Blocks automated scanners and security crawlers
JavaScript-based detection of sandboxed or headless browser environments
Restricts phishing page access to targeted geographic regions; enables per-campaign customization
Tycoon 2FA works because it sits between the user and the real login page, capturing session tokens after MFA is completed, so traditional controls see a legitimate authentication flow. The only reliable way to catch this at scale is mapping the phishing infrastructure before it reaches your users — which requires adversary-centric threat intelligence that tracks how these kits evolve their tactics across campaigns, not just static indicators that expire within hours.
for all users, prioritizing privileged and high-risk accounts, and remove weaker fallback methods where possible. This blocks the classic AiTM reverse-proxy authentication relay because the authentication is cryptographically bound to the legitimate origin.
Require device compliance checks, evaluate risk signals such as impossible travel or unfamiliar device characteristics, and enforce step-up authentication for sensitive operations.
tokens created from known malicious infrastructure, geographic locations inconsistent with user profile, or OAuth token requests and consent grants initiated outside normal user behavior.
using Digital Risk Protection for real-time detection and removal of Tycoon 2FA phishing infrastructure, reducing the operational lifespan of each campaign.
A compromised session token grants access to email, SharePoint, OneDrive, Teams, and every Microsoft Entra ID--connected application — organizations that treat MFA as sufficient protection are structurally exposed.
Tycoon 2FA is a phishing-as-a-service (PhaaS) kit that bypasses multi-factor authentication using adversary-in-the-middle (AiTM) session hijacking. The kit deploys a reverse proxy between the victim and the legitimate authentication service, capturing fully authenticated session tokens in real time after the victim completes their MFA challenge — allowing attackers to access accounts.
While all AiTM-based PhaaS kits share the core reverse-proxy session-hijacking mechanism, Tycoon 2FA has differentiated itself through aggressive underground marketing, turnkey campaign setup, and rapid template updates for Microsoft 365. According to Group-IB’s Threat Intelligence platform data, Tycoon 2FA has expanded its template library and evasion modules faster than competing kits like EvilProxy and Greatness, making it the preferred choice for affiliates seeking low-effort, high-volume MFA-bypass campaigns.
Tycoon 2FA stacks multiple evasion layers: CAPTCHA challenges (including Cloudflare Turnstile) to block automated scanners, JavaScript-based browser fingerprinting to detect sandboxed environments, geofencing to restrict phishing page access to targeted regions, and hosting on legitimate CDN providers to benefit from trusted domain reputations. These layers combined make it extremely difficult for conventional detection tools to even reach the phishing page.
First, immediately revoke all active session tokens and OAuth refresh tokens for the affected account to terminate attacker access, then force a password reset. Second, review audit logs for post-compromise activity — specifically email forwarding rules, OAuth application consent grants, and file access events across Microsoft 365 services — within the first 15 minutes of detection. Third, submit the phishing URL to your threat intelligence platform for infrastructure correlation and indicator extraction, and block all associated domains, IPs, and SSL certificate fingerprints across your email gateway and web proxy.
Costs compound rapidly: incident response, regulatory notification, credential resets across the organization, potential ransom demands, and reputational damage. A single stolen session token can unlock access to email, cloud storage, and all connected SaaS applications. Group-IB research indicates the average organizational exposure from a single PhaaS-enabled account takeover extends to 3 to 5 connected cloud services, with business email compromise, data exfiltration, and lateral movement all common downstream consequences.
Group-IB analysts assess that PhaaS kits will integrate generative AI for dynamic phishing content and real-time page customization that evades template-based detection. As organizations adopt FIDO2/WebAuthn, operators will pivot toward targeting OAuth consent flows, post-authentication session management, and cloud-native identity mechanisms. The criminal supply chain model will continue to lower the barrier to entry for MFA-bypass attacks with each product iteration.
