Microsoft, together with Europol and international partners, has disrupted the phishing-as-a-service provider Tycoon 2FA. The service sent tens of millions of fraudulent emails to more than 500,000 organizations every month and bypassed multi-factor authentication. Microsoft seized 330 active domains through a US court.
Tycoon 2FA, a Phishing-as-a-Service (PhaaS) platform, enabled thousands of cybercriminals to steal login credentials and session tokens. Even accounts secured with MFA could be compromised via a single email. The service had been active since at least 2023 and quickly grew to become one of the most widely used phishing platforms in the world.
The action was announced last night. Based on a court order from the U.S. District Court for the Southern District of New York, Microsoft seized 330 domains. It was the first time this had been done in collaboration with Europol’s Cyber Intelligence Extension Programme (CIEP). Authorities in Latvia, Lithuania, Portugal, Poland, Spain, and the United Kingdom carried out additional operational measures. Trend Micro, Proofpoint, Cloudflare, Intel471, and others also assisted in the investigation.
Because cyber attackers often switched between malicious service providers, many Tycoon 2FA users came from services that had previously been taken offline. Despite the disruption, another service will likely fill the gap, but the coordinated campaign took the attacker’s infrastructure offline. Only by combining data from various authorities and companies was it possible to attack Tycoon 2FA in this way. Individual actions would have given the service the opportunity to build new infrastructure elsewhere or pick up arrested members. It is not known whether the current campaign was accompanied by arrests; this was the case in previous actions in Egypt and Nigeria.
Extent of the damage
By mid-2025, Tycoon 2FA was responsible for approximately 62 percent of all phishing attempts blocked by Microsoft, the company concludes. That amounted to 30 million emails per month. Worldwide, the service has an estimated 96,000 victims since 2023, including more than 55,000 Microsoft customers. Healthcare and educational institutions were the hardest hit: more than 100 members of Health-ISAC in the US state of Florida were successfully phished. In New York alone, at least two hospitals, six municipal schools, and three universities were victims of an attempted or successful attack.
Tycoon 2FA combined convincing phishing templates, realistic login pages, and real-time interception of login details and authentication codes. According to Microsoft, the technical threshold was low. Criminals with limited expertise were thus able to carry out advanced phishing campaigns, according to Europol. The service was offered for approximately $120 to $350 per month.
Bypassing MFA
Tycoon 2FA’s most notable achievement is its ability to bypass MFA. The links shared by the attackers ranged from PDF documents to SVG files, malicious websites, PowerPoint presentations, emails, S3 buckets, and Canva or Dropbox links. Before the victim was redirected, a check was performed on the domain name, CAPTCHA, any scanners, and debuggers. These measures prevented security services from easily detecting their campaign and stopped bot traffic.
A fake login page intercepted responses from legitimate Microsoft servers to steal the MFA code. This allowed credentials to be stolen and passed on to Microsoft itself. Because the page looks legitimate, victims do not realize that they are passing on everything from email data to MFA codes and IP addresses to the malicious group.
Part of a larger ecosystem
Tycoon 2FA was a joint initiative. The primary developer, Saad Fridi, presumably working from Pakistan, collaborated with partners for marketing, payments, and technical support. Cybercriminals regularly linked the service to other illegal services. For example, RedVDS, which had already been disrupted by Microsoft in January 2026, provided cheap virtual desktops that were used to set up and distribute phishing campaigns.
Proofpoint, Intel 471, eSentire, and Cloudflare supported the operation. Trend Micro provided threat intelligence. SpyCloud helped collect victim data, and Coinbase tracked stolen funds. The Shadowserver Foundation also informed more than 200 CERT teams worldwide.
Previous groups taken down by Microsoft and co. include Lumma Stealer and RaccoonO365. According to the company, more will follow, as the campaign to take down such attackers continues.