Tycoon2FA Phishing Service Resurfaces After Europol-Led Disruption
On March 4, Europol and partners led by Microsoft disrupted the Tycoon2FA phishing-as-a-service (PhaaS) platform, seizing 330 domains tied to its infrastructure, including control panels and phishing pages. The operation targeted a major cybercriminal service known for bypassing two-factor authentication (2FA) on Microsoft 365 and Gmail accounts.
Despite the takedown, the impact was short-lived. CrowdStrike reported that Tycoon2FA’s activity dropped to 25% of pre-disruption levels on March 4–5 but rebounded to full capacity within days. The platform, first documented by Sekoia two years ago, had been a dominant force in phishing, generating 30 million malicious emails monthly accounting for 62% of all phishing emails blocked by Microsoft.
Tycoon2FA’s operators quickly restored operations using unchanged tactics, including adversary-in-the-middle (AiTM) attacks, business email compromise (BEC), email thread hijacking, and malicious SharePoint links. Post-disruption campaigns leveraged malicious URLs, URL shorteners, and abused legitimate platforms for redirection, while some old infrastructure remained active.
Post-compromise activity included creating inbox rules, hidden folders for fraudulent emails, and preparations for BEC operations. CrowdStrike noted that without arrests or physical seizures, cybercriminals can easily rebuild infrastructure especially when demand for PhaaS remains high. The incident underscores the resilience of phishing services despite law enforcement interventions.
Google cybersecurity rating report: https://www.rankiteo.com/company/google
"id": "GOO1774348563",
"linkid": "google",
"type": "Cyber Attack",
"date": "3/2026",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'location': 'Global',
'name': 'Microsoft 365 Users',
'type': 'Cloud Service Users'},
{'location': 'Global',
'name': 'Gmail Users',
'type': 'Email Service Users'}],
'attack_vector': ['Adversary-in-the-Middle (AiTM)',
'Business Email Compromise (BEC)',
'Email Thread Hijacking',
'Malicious SharePoint Links',
'Malicious URLs',
'URL Shorteners'],
'data_breach': {'personally_identifiable_information': 'Yes',
'sensitivity_of_data': 'High',
'type_of_data_compromised': ['Email Credentials',
'Authentication Tokens']},
'date_detected': '2024-03-04',
'description': 'On March 4, Europol and partners led by Microsoft disrupted '
'the Tycoon2FA phishing-as-a-service (PhaaS) platform, seizing '
'330 domains tied to its infrastructure. Despite the takedown, '
'the platform quickly rebounded to full capacity within days, '
'continuing its operations with unchanged tactics including '
'adversary-in-the-middle (AiTM) attacks, business email '
'compromise (BEC), email thread hijacking, and malicious '
'SharePoint links.',
'impact': {'identity_theft_risk': 'High',
'operational_impact': 'Phishing campaigns generating 30 million '
'malicious emails monthly (62% of all '
'phishing emails blocked by Microsoft)',
'systems_affected': ['Microsoft 365', 'Gmail']},
'investigation_status': 'Ongoing',
'lessons_learned': 'Cybercriminals can quickly rebuild infrastructure after '
'law enforcement disruptions if no arrests or physical '
'seizures occur, especially when demand for PhaaS remains '
'high.',
'motivation': 'Financial Gain',
'post_incident_analysis': {'root_causes': 'High demand for PhaaS, lack of '
'arrests or physical seizures, '
'rapid infrastructure rebuilding '
'capabilities'},
'references': [{'source': 'Europol'},
{'source': 'Microsoft'},
{'source': 'CrowdStrike'},
{'source': 'Sekoia'}],
'response': {'containment_measures': 'Domain seizures (330 domains)',
'law_enforcement_notified': 'Europol',
'third_party_assistance': 'Microsoft, Europol, CrowdStrike, '
'Sekoia'},
'threat_actor': 'Tycoon2FA Operators',
'title': 'Tycoon2FA Phishing Service Resurfaces After Europol-Led Disruption',
'type': 'Phishing-as-a-Service (PhaaS)',
'vulnerability_exploited': 'Two-Factor Authentication (2FA) Bypass'}