Tycoon 2FA AiTM Kit Bypasses MFA on Entra ID and Google Workspace Accounts
Elastic Security Labs reveals how the Tycoon 2FA Phishing-as-a-Service kit defeats multi-factor authentication on Microsoft Entra ID and Google Workspace by stealing session tokens via reverse proxy.
A powerful phishing kit known as Tycoon 2FA has been making waves across the cybersecurity world since it first appeared in August 2023. The kit operates as a Phishing-as-a-Service (PhaaS) platform, meaning cybercriminals can rent and deploy it without building anything from scratch. Its primary goal is to steal authenticated session tokens from Microsoft 365 and Google Workspace accounts by sitting silently between the victim and the real login page. What makes Tycoon 2FA especially dangerous is that it defeats multi-factor authentication entirely.
At its peak, the kit accounted for roughly 62% of phishing attempts blocked by Microsoft, hitting over 500,000 organizations every single month. Microsoft's threat intelligence team attributed the campaign to a threat actor tracked as Storm-1747, and the kit currently sits at the top of ANY.RUN's malware trends tracker. Analysts at Elastic Security Labs identified the mechanics behind the kit and documented how it operates across both Microsoft Entra ID and Google Workspace environments.
Elastic said in a report shared with Cyber Security News that the kit uses two structural variants: WebSocket-based session relay and device-code-grant abuse. The WebSocket variant establishes a persistent real-time channel between the victim's browser and the attacker's server, relaying authentication traffic and capturing session cookies as they are issued. The device-code-grant variant abuses OAuth 2.0 device authorization flows, tricking users into entering a code on a legitimate login page while the attacker intercepts the resulting token.
Tycoon 2FA does not steal credentials the old-fashioned way. Instead, it acts as a reverse proxy, standing between the victim and the real Microsoft or Google login page and relaying everything in real time. The victim completes their MFA challenge normally, never knowing the kit intercepted the session token the moment it was issued. The attack begins with a phishing email carrying a link or QR code embedded in a PDF, SVG, HTML, or PowerPoint file. The link routes through a multi-layer redirect chain before landing on a pixel-perfect replica of the target login page, often loaded with the victim's organization branding pulled directly from the real service.
Tycoon 2FA is built to survive incident response. The kit can register a rogue device in Entra ID, obtaining a primary refresh token that stays valid even after a defender revokes the compromised user's sessions. This means the standard "revoke sessions and reset password" playbook is no longer enough to fully contain a Tycoon 2FA compromise. Beyond persistence, the kit takes extreme steps to avoid analysis. It filters visitors from cloud and hosting IP ranges, blocks developer tools, detects automation frameworks, and removes its own malicious code from the page after execution. Each victim receives a uniquely encrypted payload seeded with per-session values, making signature-based detection nearly impossible.
Even a coordinated March 2026 takedown led by Microsoft and Europol, which seized over 300 domains, could not stop the campaign for long. Operators bounced back within weeks, adapting their infrastructure and blending their methods with OAuth Device Code phishing flows, as documented by eSentire in late April 2026. The kit's resilience reflects how professional and well-resourced the group behind it really is. The scale and sophistication of Tycoon 2FA make it one of the most consequential phishing threats active today.
To defend against this threat, Elastic recommends deploying phishing-resistant MFA such as FIDO2 security keys or passkeys, since these are the only methods immune to AiTM session theft. Organizations should also enforce device compliance through Conditional Access, block device code flows for all users except approved scenarios, and enable token protection to bind tokens to specific devices. Defenders must carefully enumerate and delete registered devices before revoking sessions to fully break the device-PRT persistence chain.