Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

Multi-year cloud-hosted phishing and brand impersonation campaign

Campaign
First reported
Last updated
Happening score
H score 33
1 unique sources, 1 articles

Summary

Hide ▲

A multi-year cloud-hosted phishing and brand impersonation campaign was exposed after operating for more than three years. The operation abused expired domains and cloned websites to impersonate major brands and drive credential theft and malicious redirects. Its reach spanned 48,000 hosts, more than 80 clusters, and 200 known organizations.

Related Happenings

OAuth device-code phishing campaign targeting SaaS accounts

Campaign
First: 04.04.2026 17:17 Last: 04.04.2026 17:17 Sources 1

About this happening: A **device code phishing** campaign now includes **EvilTokens**, a **phishing-as-a-service** kit sold on **Telegram** that uses the **OAuth 2.0 device authorization flow** to hija...

Open Happening

TikTok for Business phishing campaign using Turnstile and reverse proxy

Campaign
First: 26.03.2026 16:09 Last: 26.03.2026 16:09 Sources 1

About this happening: A **phishing campaign** is targeting **TikTok for Business accounts** and uses **Cloudflare Turnstile** to block automated analysis before exposing a **reverse-proxy** credential-...

Open Happening

Tycoon 2FA-Storm-1747 ecosystem shift changes threat-actor operations

Threat Actor Meta
First: 05.03.2026 08:51 Last: 05.03.2026 08:51 Sources 1

About this happening: **Tycoon2FA** has evolved from a **subscription-based PhaaS** into a more resilient phishing service that now supports **device-code phishing** against **Microsoft 365** accounts....

Latest development: 17.05.2026 17:43

eSentire says Tycoon2FA now uses device-code phishing to target Microsoft 365 accounts, with invoice-themed lure emails carrying Trustifi click-tracking URLs that redirect through Trustifi, Cloudflare Workers, obfuscated JavaScript layers, and a fake Microsoft CAPTCHA page before sending victims to microsoft.com/devicelogin. The kit also adds anti-analysis defenses, including detection of Selenium, Puppeteer, Playwright, and Burp Suite, plus blocks for security vendors, VPNs, sandboxes, AI crawlers, and cloud providers.

Open Happening

Europol-led takedown of Tycoon 2FA

Law Enforcement
First: 05.03.2026 08:51 Last: 05.03.2026 08:51 Sources 1

About this happening: **Europol** and partner agencies **dismantled Tycoon 2FA**, a **phishing-as-a-service** toolkit used for **AitM credential harvesting**, removing a major cybercrime platform and d...

Latest development: 17.04.2026 22:05

Following the Europol-led Tycoon 2FA takedown, phishers worldwide moved to rival PhaaS providers such as Mamba 2FA, EvilProxy, and Sneaky 2FA, while device code phishing accelerated and some actors reused Tycoon-era PDFs, source-code quirks, and techniques in EvilTokens-style account takeover campaigns.

Open Happening

Europol-coordinated Tycoon2FA takedown

Law Enforcement
First: 04.03.2026 19:01 Last: 04.03.2026 19:01 Sources 1

About this happening: **Europol** coordinated a law-enforcement operation that **seized 330 domains** tied to **Tycoon2FA**, disrupting a **phishing-as-a-service** platform used for **credential theft*...

Latest development: 23.03.2026 23:52

CrowdStrike observed Tycoon2FA return to pre-disruption activity levels within days after the March 4, 2026 Europol-led takedown, with daily campaign volumes on March 4 and March 5, 2026 falling to 25% of pre-disruption levels before rebounding to early 2026 levels. The phishing-as-a-service platform continued using largely unchanged TTPs against Microsoft 365 and Gmail accounts and remained active in malicious email campaigns, BEC, email thread hijacking, cloud account takeovers, and malicious SharePoint links.

Open Happening

Timeline

  1. 04.09.2025 03:00 1 articles · 8mo ago

    militaryfighterjet.com DNS record expires

    Untyped Phase

    The Military Fighter Jets web property lost its DNS record when militaryfighterjet.com expired on September 14, 2024, creating the takeover window that later enabled brand impersonation and content replacement.

    Show sources
    Open in new tab
  2. 04.09.2025 03:00 1 articles · 8mo ago

    militaryfighterjet.com is repurposed for gambling content and a cloned Lockheed Martin site

    Exploitation Observed

    Two days later, militaryfighterjet.com displayed a gambling page called 168 Lottery Results when opened directly in a browser, and the same domain name with /index-2.html showed a cloned Lockheed Martin website including login pages for employees and partners.

    Show sources
    Open in new tab
  3. 04.09.2025 03:00 2 articles · 8mo ago

    Deep Specter Research exposes a multi-year phishing operation on Google Cloud and Cloudflare

    Initial Disclosure

    Deep Specter Research said a multi-year phishing-as-a-service operation stayed hidden for more than three years across Google Cloud and Cloudflare, abused expired and abandoned domains to host cloned brand sites, and generated 265 public detections while impersonating companies such as Lockheed Martin.

    Show sources
    Open in new tab