Tycoon2FA Enables Widespread AiTM Phishing Campaigns

Microsoft Threat Intelligence reports that Tycoon2FA, active since August 2023, operates as a phishing-as-a-service platform sending tens of millions of messages and impacting over 500,000 organizations monthly. The kit provides adversary-in-the-middle MFA interception by capturing session cookies and relaying codes, enabling persistent access. Microsoft supplies Defender detections and practical guidance on mail flow rules, spoof protections, session revocation, and hunting to mitigate these campaigns.