Tycoon2FA is back — MFA bypass against M365 works again
The Tycoon2FA phishing platform is back after Europol's takedown. AiTM attacks bypass standard MFA and steal M365 tokens.
Europol and partner agencies took down Tycoon2FA on March 4. Three weeks later, the platform is back at the same activity levels.
Tycoon2FA is a phishing-as-a-service platform using adversary-in-the-middle (AiTM) techniques. The victim logs into a fake M365 sign-in page that proxies traffic to Microsoft in real time. The MFA code is intercepted and the attacker gets a valid session token.
Why standard MFA is not enough
SMS codes, push notifications, and TOTP apps — all can be captured by an AiTM proxy. The only thing that actually stops this type of attack is phishing-resistant authentication: FIDO2 keys or passkeys.
For SMB organizations on M365 Business Premium, this is directly relevant. Most have MFA enabled but still use push notifications via Microsoft Authenticator — which Tycoon2FA bypasses without issue.
What you should do now
- Enable phishing-resistant MFA with FIDO2 security keys or passkeys in
Entra ID. - Configure token binding in
Conditional Access— binds session tokens to the device so stolen tokens become useless. - Implement Continuous Access Evaluation (CAE) to limit token lifetime.
- Train users that AiTM attacks look exactly like real sign-in pages.
How HaggeBurger can help
We offer an MFA hardening service that includes FIDO2 deployment, Conditional Access policy review, and CAE configuration. A half-day engagement that concretely stops this type of attack.
Want us to check your environment? Get in touch.