Black friday Up to 3 extra licenses FOR FREE + Special offer for TI LOOKUP Get it now
Webinar
February 26
Better SOC with Interactive Sandbox Practical Use Cases
Register now

Tycoon 2FA

2
Global rank
1
Month rank
1
Week rank
0
IOCs

Tycoon 2FA is a phishing-as-a-service (PhaaS) platform designed to bypass multi-factor authentication (MFA) protections, particularly targeting Microsoft 365 and Gmail accounts. Its advanced evasion techniques and modular architecture make it a significant threat to organizations relying on MFA for security.

Phishingkit
Type
Unknown
Origin
1 August, 2023
First seen
9 October, 2025
Last seen

How to analyze Tycoon 2FA with ANY.RUN

Type
Unknown
Origin
1 August, 2023
First seen
9 October, 2025
Last seen

IOCs

Last Seen at

Recent blog posts

post image
How to Grow SOC Team Expertise for Ultimate T...
watchers 206
comments 0
post image
Phishing, Cloud Abuse, and Evasion: Advanced...
watchers 560
comments 0
post image
Release Notes: Palo Alto Networks, Microsoft,...
watchers 3807
comments 0

What is Tycoon 2FA?

This Adversary-in-the-Middle (AiTM) phishing kit became known in 2023, with significant updates observed through 2025. The PhaaS model allows even low-skilled attackers to deploy sophisticated phishing campaigns

Tycoon 2FA can intercept user credentials and session cookies to bypass MFA, enabling unauthorized access to accounts even with additional security measures. Organizations using cloud services are at the most risk.

The kit is distributed via Telegram channels starting at $120 for 10 days, with prices varying by domain extension (.com, .net, .org, etc.).

Tycoon 2FA has a multi-stage attack process through social engineering and compromised infrastructure, including phishing emails and QR codes; redirects to fake login pages; exploitation of legitimate services (e.g., Milanote for project collaboration).

Read detailed breakdown of Tycoon2FA’s defense evasion techniques

Victims are directed to a counterfeit login page mimicking Microsoft 365 or Gmail, where they unknowingly enter their credentials. A custom CAPTCHA (previously Cloudflare Turnstile, now HTML5 canvas-based) filters out automated bots and security tools, ensuring only human users proceed.

If MFA is enabled, Tycoon 2FA acts as a man-in-the-middle, relaying MFA prompts and capturing session cookies in real time upon successful authentication. These cookies grant attackers unauthorized access to the victim's account without needing further credentials. Attackers reuse session cookies to bypass security controls and access accounts even if credentials are reset.

Get started today for free

Analyze malware and phishing in a fully-interactive sandbox

Create free account

Tycoon 2FA Prominent Features

  • MFA Bypass: By capturing session cookies, Tycoon 2FA renders traditional MFA (e.g., SMS, authenticator apps) ineffective, compromising even security-conscious organizations.
  • Targeted Attacks: Primarily targets Microsoft 365 and Gmail, critical for enterprise and cloud environments, leading to potential data breaches, financial loss, or ransomware deployment.
  • Ease of Use: As a PhaaS platform, it provides ready-to-use templates and admin panels, enabling even low-skilled attackers to launch sophisticated campaigns.
  • Longevity: Advanced evasion techniques allow campaigns to remain undetected longer, increasing the number of compromised accounts.
  • Exploitation of Legitimate Infrastructure: Using compromised legitimate accounts and services like Milanote enhances credibility and evades traditional email security filters.
  • Scalability: Over 1,200 domains associated with Tycoon 2FA were identified between August 2023 and February 2024, indicating widespread use.

Tycoon 2FA Execution Process and Technical Details

ANY.RUN’s Interactive Sandbox, trusted by over 500,000 threat analysts and 15,000 SOC teams, contains an impressive collection of malware samples featuring Tycoon 2FA attacks. Let’s scrutinize the phish kit’s strategy and tactics on an illustrative analysis session.

View the analysis and gather actionable data.

Tycoon 2FA analysis in ANY.RUN Sandbox Tycoon 2FA sample in ANY.RUN's Interactive Sandbox

The execution chain typically begins with phishing emails or QR codes that direct victims to malicious URLs. These messages often impersonate trusted services and may be sent via legitimate platforms to enhance credibility. When a victim clicks the link, they are redirected through several intermediate pages, including CAPTCHA challenges such as reCAPTCHA or Cloudflare CAPTCHA, which are used to block bots and avoid automated detection systems.

ANY.RUN supports Automated Interactivity (ML) capable of handling such challenges in submitted tasks, including those sent via API. These CAPTCHA steps also help attackers evade sandbox detection by filtering out non-human traffic. During this redirection process, the kit performs environment checks by analyzing IP addresses, user agents, and browser fingerprints to identify security researchers or automated tools. These detections are ineffective against ANY.RUN, which uses residential proxies to simulate legitimate user traffic. If suspicious activity is detected, the visitor is redirected to a benign website to avoid raising alarms.

After passing the environment checks, the victim is taken to a fake login page that closely imitates Microsoft 365 or Gmail authentication portals. These pages are tailored to match the victim’s organization by modifying branding elements using legitimate services. Built with obfuscated and randomized JavaScript and HTML, these pages are designed to evade detection by signature-based security tools.

When the victim submits their credentials and, if prompted, an MFA code, the phishing kit captures the information in real time and forwards it to the legitimate Microsoft or Gmail servers via a reverse proxy. This enables the attackers to intercept valid session cookies, effectively bypassing MFA. With these session tokens, attackers gain persistent, unauthorized access without needing to reauthenticate.

To complicate analysis, payloads and exfiltrated data are often encrypted using AES, while URLs are randomized and malicious resources are delayed until after CAPTCHA completion to avoid detection by automated scanners.

What are the best-known Tycoon 2FA attacks?

  • Initial Emergence (August 2023): Identified by Sekoia, targeted Microsoft 365 with AiTM phishing, used phishing emails and Cloudflare Turnstile CAPTCHAs, compromised enterprise accounts.
  • Campaign Expansion (October 2023 - February 2024): Over 3,000 phishing pages, targeted Microsoft 365 and Gmail, used QR codes and Milanote, employed invisible Unicode obfuscation, caused widespread credential theft.
  • Custom CAPTCHA Evolution (Mid-2024): Shifted to HTML5 canvas-based CAPTCHA, added anti-debugging scripts and malformed URLs, prolonged campaign lifespans, targeted corporate accounts.
  • Advanced Obfuscation (April-May 2025): Added browser fingerprinting and payload encryption, rejected Tor/scanner traffic, disabled context menus, increased MFA bypass success.
  • Common Traits: PhaaS sold via Telegram for $120+, bypassed MFA via session cookie theft, targeted Microsoft 365/Gmail, used legitimate services, linked to 1,200+ domains.
  • Impacts: Hit financial sector for fraud, enabled enterprise breaches and ransomware, used stolen credentials for BEC.
  • Detection Challenges: Evaded detection with Unicode obfuscation, custom CAPTCHAs, and dynamic code; no specific threat actor, linked to Saad Tycoon Group.

Gathering Threat Intelligence on Tycoon 2FA Phish Kit

To counter Tycoon 2FA, organizations should adopt a proactive, multi-layered defense strategy informed by threat intelligence. Solutions like ANY.RUN’s Threat Intelligence Lookup help to detect and block known Tycoon 2FA infrastructure like domains and IPs at the network edge.

Make an easy entrance to Tycoon 2FA investigation by searching the threat by the name via TI Lookup. View any analysis session to get acquainted with the phish kit operators’ TTPs and gather indicators of compromise to set up alerts and defenses.

threatName:"tycoon"

Tycoon 2FA samples Sandbox malware analyses featuring Tycoon 2FA

Tycoon 2FA IOCs in Sandbox Tycoon 2FA IOCs extracted from a malware sample

Integrate ANY.RUN’s threat intelligence solutions in your company

Contact us

Conclusion

Tycoon 2FA is an evolved phishing kit that poses a significant threat due to its ability to bypass MFA, leverage legitimate infrastructure, and employ advanced evasion techniques like invisible Unicode obfuscation, custom CAPTCHAs, and anti-debugging scripts. Its ease of use and scalability make it accessible to a wide range of cybercriminals, amplifying its impact.

Detection and counteraction require a combination of behavioral monitoring, advanced threat intelligence, phish-resistant MFA, and user awareness.

Use Threat Intelligence Lookup to shoot Tycoon 2FA on approach: start with 50 trial searches.

HAVE A LOOK AT

Cerber screenshot
Cerber
cerber
Cerber is a Ransomware-as-a-Service (RaaS) that appeared in 2016, spread quickly and has been evolving since. It became well-known for its file encryption, offline capabilities, and sophisticated evasion techniques. It primarily targets enterprises, financial institutions, and government entities, encrypting their data and demanding ransom payments in Bitcoin. It also targets everyday users encrypting personal files (photos, documents) with the risk of their permanent loss.
Read More
LockBit screenshot
LockBit
lockbit
LockBit, a ransomware variant, encrypts data on infected machines, demanding a ransom payment for decryption. Used in targeted attacks, It's a significant risk to organizations.
Read More
HijackLoader screenshot
HijackLoader
hijackloader
HijackLoader is a modular malware acting as a vehicle for distributing different types of malicious software on compromised systems. It gained prominence during the summer of 2023 and has since been used in multiple attacks against organizations from various sectors, including hospitality businesses.
Read More
Black Basta screenshot
Black Basta
blackbasta
Black Basta is a ransomware-as-a-service operated by Storm-1811. It emerged in 2022 and uses double extortion tactics, encrypting data and stealing it for ransom. The malware often gains access through spear-phishing and uses tools like QakBot and Cobalt Strike. It's known for exploiting system vulnerabilities and using advanced obfuscation techniques.
Read More
PureCrypter screenshot
PureCrypter
purecrypter
First identified in March 2021, PureCrypter is a .NET-based loader that employs obfuscation techniques, such as SmartAssembly, to evade detection. It has been used to distribute malware families including AgentTesla, RedLine Stealer, and SnakeKeylogger. The malware is typically delivered through phishing campaigns and malicious downloads, often masquerading as legitimate files with extensions like .mp4 or .pdf. PureCrypter utilizes encryption and compression to conceal its payloads and can inject malicious code into legitimate processes to maintain persistence on the infected system.
Read More
Adware screenshot
Adware
adware
Adware is a form of malware that targets users with unwanted advertisements, often disrupting their browsing experience. It typically infiltrates systems through software bundling, malicious websites, or deceptive downloads. Once installed, it may track user activity, collect sensitive data, and display intrusive ads, including pop-ups or banners. Some advanced adware variants can bypass security measures and establish persistence on devices, making removal challenging. Additionally, adware can create vulnerabilities that other malware can exploit, posing a significant risk to user privacy and system security.
Read More