Tycoon 2FA Phishing Kit Bypasses MFA on Entra ID and Google Workspace Accounts
8 min. read 
Published on
Tycoon 2FA, a phishing-as-a-service kit active since August 2023, continues to threaten Microsoft Entra ID and Google Workspace accounts by stealing authenticated session tokens instead of only collecting usernames and passwords.
The kit works as an adversary-in-the-middle phishing platform. It places a proxy between the victim and the real login service, lets the victim complete multi-factor authentication, and then captures the session cookie or token that proves the login was successful.
Access content across the globe at the highest speed rate.
70% of our readers choose Private Internet Access
70% of our readers choose ExpressVPN
Browse the web from multiple devices with industry-standard security protocols.
Faster dedicated servers for specific actions (currently at summer discounts)
Elastic Security Labs says current Tycoon 2FA activity includes two major variants: a WebSocket-based relay flow and Microsoft device-code-grant abuse. Both techniques can help attackers reach cloud accounts even when users have MFA enabled.
Tycoon 2FA Remains Active After a Major Takedown
Tycoon 2FA became one of the most visible AiTM phishing kits because it lowered the skill needed to run advanced credential theft campaigns. Instead of building infrastructure from scratch, attackers could rent the kit and use ready-made phishing pages, redirect chains, admin panels, and evasion features.
Microsoft linked the platform to Storm-1747 and said Tycoon 2FA campaigns sent tens of millions of phishing messages to more than 500,000 organizations each month. The company also said the kit allowed less experienced attackers to bypass commonly used MFA methods through AiTM attacks.
A March 2026 disruption did not end the threat. Trend Micro said Microsoft, Europol, Cloudflare, Coinbase, eSentire, Health-ISAC, Intel471, Proofpoint, Resecurity, SpyCloud, TrendAI, and other partners helped take down more than 300 domains tied to Tycoon 2FA operations.
How Tycoon 2FA Bypasses MFA
The attack usually starts with a phishing email. The message may include a link or a file attachment such as a PDF, HTML file, SVG file, or document with a QR code. The victim follows the link and moves through several redirects before seeing a fake login page that looks like Microsoft 365, Entra ID, Google, or another trusted cloud service.
The fake page does not simply collect a password and stop. Tycoon 2FA relays the login process to the real identity provider in real time. When the victim enters credentials and completes MFA, the real service issues a valid session token. The kit captures that token and gives the attacker access without needing to ask for another MFA approval.
ANY.RUN lists Tycoon 2FA as a phishing kit designed to bypass MFA protections, particularly against Microsoft 365 and Gmail accounts. Its tracker also shows the kit remains active, with recent samples linked to phishing activity.
Two Main Attack Flows Are in Use
| Attack flow | Target platform | What it does |
|---|---|---|
| WebSocket AiTM relay | Microsoft Entra ID and Google Workspace | Relays the victim’s real login session and captures post-MFA tokens or cookies |
| Device-code-grant abuse | Microsoft 365 and Entra ID | Tricks users into authorizing attacker-controlled access through Microsoft’s device login flow |
The WebSocket variant behaves like a live bridge between the victim and the legitimate login service. It can capture credentials, authentication responses, access tokens, refresh tokens, and session cookies while the user believes they are signing in normally.
The device-code variant targets Microsoft 365 differently. Instead of showing only a fake login form, the attacker obtains a device code and convinces the victim to enter it through a legitimate Microsoft login page. If the user approves the request, the attacker receives tokens for Microsoft services such as mail, files, or collaboration tools.
eSentire documented newer Tycoon 2FA activity using OAuth device code phishing. That change matters because device-code phishing can abuse a real authentication workflow while hiding the fact that the victim is authorizing a device controlled by the attacker.
Why Session Theft Makes Traditional MFA Weaker
Traditional MFA still helps against many password theft attacks, but AiTM kits change the problem. The attacker does not need to know the MFA code later because the victim already completed MFA during the phishing session.
Once the attacker has a valid token or cookie, they may access the account, read mail, search files, create inbox rules, register persistence, or move deeper into the organization. Password resets and session revocation may not fully contain the incident if the attacker has registered a device or gained a stronger refresh path.
Elastic says the Microsoft 365 variant can register a rogue device and obtain a primary refresh token. That can make remediation harder because defenders may need to delete suspicious registered devices before revoking sessions.
Evasion Features Make Tycoon 2FA Harder to Analyze
Tycoon 2FA also includes several anti-analysis features. The kit can filter traffic from hosting providers and cloud IP ranges, redirect suspected researchers to harmless pages, block developer tools, detect automation frameworks, and encrypt payloads differently for each victim session.
This makes signature-based detection less reliable. A security team may not see the same JavaScript payload across every victim, and automated scanners may receive different content from real users.
ANY.RUN’s Tycoon 2FA profile notes that the kit uses techniques such as custom CAPTCHAs, redirect chains, legitimate services, and modular infrastructure to make campaigns harder to detect and block.
What Organizations Should Watch For
Tycoon 2FA compromises may not look like a simple failed-login spike. Defenders should watch for suspicious successful logins, token activity, unusual device registration, unexpected OAuth flows, strange user agents, and post-login activity that does not match the user’s normal behavior.
- Successful interactive device-code sign-ins for users who do not normally use that flow
- Microsoft Authentication Broker activity tied to unusual resources
- Node.js-style user agents such as node, axios, undici, or node-fetch in suspicious sign-in activity
- New device registrations with unusual user agents or unexpected timing
- Inbox rules that hide messages, forward mail, or delete security alerts
- Graph API enumeration shortly after a suspicious login
- Google Workspace sign-ins from hosting ASNs or unfamiliar geographies
For Microsoft 365 tenants, blocking device code flow through Conditional Access can help stop the device-code variant. Elastic notes that a successful block may return Entra error code 53003, which can help confirm policy enforcement.
For Google Workspace, defenders should focus on sign-in monitoring, OAuth token review, suspicious app access, context-aware access where available, and fast token revocation after a suspected phishing event.
Phishing-Resistant MFA Is the Strongest Defense
Organizations should not treat push notifications, SMS codes, or time-based one-time passwords as complete protection against AiTM phishing. These methods can still pass through a proxy if the victim interacts with the fake login page.
Microsoft’s guidance recommends phishing-resistant MFA, including FIDO2 security keys, Windows Hello for Business, and passkeys. It also recommends reviewing MFA devices, removing suspicious inbox rules, revoking sessions, resetting credentials, and strengthening Conditional Access.
eSentire’s device-code phishing analysis also reinforces the need to restrict device code workflows unless users have a clear business reason to use them. Attackers favor these flows because they can turn a legitimate Microsoft prompt into a convincing social engineering step.
Tycoon 2FA Shows Why MFA Needs Stronger Identity Controls
Tycoon 2FA does not make MFA useless. It shows that organizations need phishing-resistant MFA, device compliance, token protection, Conditional Access, and better identity telemetry alongside user training.
The March 2026 takedown proved that coordinated action can disrupt phishing infrastructure. However, Trend Micro’s takedown report also showed how large and commercialized the PhaaS ecosystem has become, with stolen sessions and compromised accounts creating risks beyond the first victim.
For security teams, the main lesson is clear: stopping Tycoon 2FA requires more than password resets and generic MFA. Teams need to protect the sign-in process, restrict risky authentication flows, and respond quickly when tokens, devices, or OAuth activity look suspicious.
FAQ
Tycoon 2FA is a phishing-as-a-service kit that uses adversary-in-the-middle phishing to steal session tokens from cloud accounts. It mainly targets Microsoft 365, Entra ID, Gmail, and Google Workspace users.
Tycoon 2FA relays the real login process between the victim and the legitimate identity provider. The victim completes MFA normally, but the phishing kit captures the valid session token or cookie after authentication succeeds.
Yes. Current research shows Tycoon 2FA activity targeting both Microsoft Entra ID and Google Workspace. The Google-focused variant uses a WebSocket relay flow to capture authenticated session data.
Device-code phishing abuses legitimate device login workflows. The attacker gets a device code and tricks the victim into entering it on a real Microsoft login page, which can authorize attacker-controlled access if the victim approves the prompt.
Organizations should deploy phishing-resistant MFA such as FIDO2 keys or passkeys, enforce device compliance with Conditional Access, restrict device code flows, enable token protection where available, monitor suspicious sign-ins, and remove suspicious registered devices during response.
Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more
Improve this guide
User forum
0 messages