AUTHORITIES disrupted the Tycoon 2FA phishing-as-a-service platform, a operation used to send millions of phishing emails to more than 500,000 organisations worldwide. The joint effort, led by Microsoft, Europol, and industry partners, aimed to target the platform’s infrastructure, which was responsible for tens of millions of fraudulent emails each month.
By mid-2025 the service accounted for about 62 percent of all phishing attempts Microsoft blocked, with more than 30 million emails in a single month, and it has been linked to an estimated 96,000 distinct phishing victims worldwide since 2023, including more than 55,000 Microsoft customers.
The operation exposed Tycoon 2FA’s use by thousands of cybercriminals to impersonate real users and access email and online service accounts such as Microsoft 365, Outlook and Gmail, with evasion achieved through URL rotation via third‑party open redirect vulnerabilities and the misuse of Cloudflare Workers to protect malicious instances. Resecurity reportedly acquired access to Tycoon 2FA, and the article notes the author of Tycoon 2FA regularly updates its kit to deliver phishing at scale.