FIDO2 hardware-based biometric identity guidance to resist Tycoon 2FA relay phishing
Defensive Guidance
Summary
Hide ▲
Show ▼
A new defensive posture centers on FIDO2 hardware-based biometric identity to blunt Tycoon 2FA-style phishing that relays MFA and steals session cookies. The control matters because it is proximity based and domain bound, reducing exposure to fake-login relays that defeat codes and push prompts. By binding authentication to a physical device and live biometric match, it blocks the user-driven decision points attackers exploit. That makes it a practical replacement for legacy MFA in relay-heavy phishing scenarios.
Related Happenings
EvilTokens Microsoft 365 consent phishing campaign
Campaign
First: 19.05.2026 14:30
Last: 19.05.2026 14:30
Sources 1
About this happening:
The **EvilTokens** campaign rapidly compromised **more than 340 Microsoft 365 organizations** across **five countries**, showing how **OAuth grant abuse** can bypass **MFA** and c...
EvilTokens Microsoft 365 consent phishing campaign
CampaignAbout this happening: The **EvilTokens** campaign rapidly compromised **more than 340 Microsoft 365 organizations** across **five countries**, showing how **OAuth grant abuse** can bypass **MFA** and c...
W3LL Microsoft 365 adversary-in-the-middle phishing campaign
Campaign
First: 13.04.2026 21:55
Last: 13.04.2026 21:55
Sources 1
About this happening:
The **W3LL** phishing operation turned into a high-volume **Microsoft 365** credential-theft campaign, exposing **more than 17,000 victims worldwide** to **BEC** risk. The kit use...
W3LL Microsoft 365 adversary-in-the-middle phishing campaign
CampaignAbout this happening: The **W3LL** phishing operation turned into a high-volume **Microsoft 365** credential-theft campaign, exposing **more than 17,000 victims worldwide** to **BEC** risk. The kit use...
Phishing-resistant authentication to block post-breach credential abuse and relay attacks
Defensive Guidance
First: 09.04.2026 17:02
Last: 09.04.2026 17:02
Sources 1
About this happening:
**Phishing-resistant authentication** is being emphasized as the control that can stop post-breach account takeover when exposed email records fuel **credential stuffing**, **AiTM...
Phishing-resistant authentication to block post-breach credential abuse and relay attacks
Defensive GuidanceAbout this happening: **Phishing-resistant authentication** is being emphasized as the control that can stop post-breach account takeover when exposed email records fuel **credential stuffing**, **AiTM...
Venom PhaaS SharePoint QR-code campaign targeting C-suite executives
Campaign
First: 03.04.2026 11:00
Last: 03.04.2026 11:00
Sources 1
About this happening:
The **Venom PhaaS** operation ran a **credential theft campaign** against **C-suite executives and senior personnel** at major global organizations, creating a broad risk of accou...
Venom PhaaS SharePoint QR-code campaign targeting C-suite executives
CampaignAbout this happening: The **Venom PhaaS** operation ran a **credential theft campaign** against **C-suite executives and senior personnel** at major global organizations, creating a broad risk of accou...
Preemptive security guidance for machine-speed vulnerability exploitation
Defensive Guidance
First: 18.03.2026 21:37
Last: 18.03.2026 21:37
Sources 1
About this happening:
**Preemptive security** is being pushed as the operating model for **machine-speed vulnerability exploitation**, because defenders can no longer rely on patch windows that now shr...
Preemptive security guidance for machine-speed vulnerability exploitation
Defensive GuidanceAbout this happening: **Preemptive security** is being pushed as the operating model for **machine-speed vulnerability exploitation**, because defenders can no longer rely on patch windows that now shr...
Timeline
-
18.11.2025 17:01 2 articles · 6mo ago
FIDO2 hardware identity recommended against Tycoon 2FA relay phishing
Mitigation Patch UpdateEnterprises using Microsoft 365 or Gmail are urged to replace relayable MFA and authenticator-app workflows with FIDO2 hardware-based biometric identity that is proximity based and domain bound, because Tycoon 2FA can proxy MFA flows, capture session cookies, and enable full session takeover followed by lateral movement into SharePoint, OneDrive, email, Teams, HR systems, and finance systems.
Show sources
- Tycoon 2FA and the Collapse of Legacy MFA — www.bleepingcomputer.com — 18.11.2025 17:01
- Tycoon 2FA and the Collapse of Legacy MFA — www.bleepingcomputer.com — 18.11.2025 17:01