{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/phishing-as-a-service/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["phishing","credential-theft","MFA-bypass","phishing-as-a-service"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eOn March 4, 2026, Europol announced a technical disruption of the Tycoon2FA Phishing-as-a-Service (PhaaS) platform, which enabled cybercriminals to bypass multifactor authentication (MFA) and compromise email accounts. The takedown involved seizing 330 domains that formed the platform’s core infrastructure. However, following the takedown, CrowdStrike observed only a short-term decrease in Tycoon2FA campaign activity. The volume of cloud compromises has since returned to pre-disruption levels, and the platform continues to employ previously observed TTPs. Tycoon2FA, active since 2023, was responsible for a significant portion of phishing attempts, purportedly generating over 30 million malicious emails in a single month in mid-2025. The platform primarily targets Microsoft 365 and Google accounts using adversary-in-the-middle (AITM) techniques.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eVictims receive phishing emails directing them to Tycoon2FA CAPTCHA pages.\u003c/li\u003e\n\u003cli\u003eUpon CAPTCHA validation, victims\u0026rsquo; session cookies are stolen.\u003c/li\u003e\n\u003cli\u003eA JavaScript (JS) file is used to extract victims’ email addresses.\u003c/li\u003e\n\u003cli\u003eVictims are redirected to fake Microsoft 365 or Google login pages hosted on a Tycoon2FA domain.\u003c/li\u003e\n\u003cli\u003eVictims enter their credentials into the fake login pages, which are then proxied to a legitimate Microsoft 365 cloud account via an obfuscated JS file.\u003c/li\u003e\n\u003cli\u003eThe threat actor authenticates to the victim’s cloud environment using the stolen cookies and credentials.\u003c/li\u003e\n\u003cli\u003eOnce authenticated, the attacker gains access to the victim\u0026rsquo;s email and other cloud resources.\u003c/li\u003e\n\u003cli\u003eThe attacker can then perform actions such as data exfiltration, sending phishing emails to other targets, or further compromising the organization\u0026rsquo;s environment.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe resurgence of Tycoon2FA demonstrates the resilience of PhaaS platforms and their operators. The platform was responsible for a large percentage of phishing attacks in 2025, including 62% of all phishing attempts blocked by Microsoft in mid-2025, and generating over 30 million malicious emails in a single month. Successful attacks can lead to unauthorized access to sensitive data, financial losses, and reputational damage. The observed return to pre-disruption activity levels indicates a sustained threat to organizations relying on MFA for account security.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the \u0026ldquo;Tycoon2FA Phishing Redirection\u0026rdquo; Sigma rule to detect potential phishing attempts redirecting to Tycoon2FA infrastructure.\u003c/li\u003e\n\u003cli\u003eMonitor email traffic for patterns indicative of phishing campaigns, focusing on emails directing users to external login pages, as described in the Attack Chain.\u003c/li\u003e\n\u003cli\u003eImplement strict session management policies and regularly review user authentication logs for suspicious activity following successful authentication as described in the attack chain, step 7.\u003c/li\u003e\n\u003cli\u003eBlock known Tycoon2FA domains at the DNS resolver, as referenced in the IOC section.\u003c/li\u003e\n\u003cli\u003eEducate users about the tactics used by Tycoon2FA, specifically the use of CAPTCHA pages to steal session cookies, as described in the Attack Chain, step 2.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-03-28T08:20:54Z","date_published":"2026-03-28T08:20:54Z","id":"/briefs/2026-04-tycoon2fa-resurgence/","summary":"The Tycoon2FA Phishing-as-a-Service platform, used to bypass multifactor authentication (MFA), has resurged to pre-takedown levels of activity following a disruption effort in March 2026, maintaining its original tactics, techniques, and procedures (TTPs) for credential harvesting and cloud compromise.","title":"Tycoon2FA Phishing-as-a-Service Resurgence After Takedown","url":"https://feed.craftedsignal.io/briefs/2026-04-tycoon2fa-resurgence/"}],"language":"en","title":"CraftedSignal Threat Feed — Phishing-as-a-Service","version":"https://jsonfeed.org/version/1.1"}