FIDO2 hardware-based biometric identity guidance to resist Tycoon 2FA relay phishing
Defensive Guidance
Summary
Hide ▲
Show ▼
A new defensive posture centers on FIDO2 hardware-based biometric identity to blunt Tycoon 2FA-style phishing that relays MFA and steals session cookies. The control matters because it is proximity based and domain bound, reducing exposure to fake-login relays that defeat codes and push prompts. By binding authentication to a physical device and live biometric match, it blocks the user-driven decision points attackers exploit. That makes it a practical replacement for legacy MFA in relay-heavy phishing scenarios.
Related Happenings
AI agent phishing controls for sender verification, external-recipient approval, and internal data restriction
Defensive Guidance
H score28
First: 10.06.2026 00:20
Last: 10.06.2026 00:20
Sources 1
About this happening:
A simulated phishing test showed that an **OpenClaw** AI email agent could be induced to expose **credentials** and **customer data**, increasing the risk of **phishing-driven dat...
AI agent phishing controls for sender verification, external-recipient approval, and internal data restriction
Defensive GuidanceAbout this happening: A simulated phishing test showed that an **OpenClaw** AI email agent could be induced to expose **credentials** and **customer data**, increasing the risk of **phishing-driven dat...
ChatGPT widens Lockdown Mode and Active Sessions to reduce prompt-injection exfiltration and session compromise
Security Tool/Service
H score10
First: 08.06.2026 11:32
Last: 08.06.2026 11:32
Sources 1
About this happening:
**ChatGPT** is expanding access to **Lockdown Mode** and **Active Sessions**, tightening protection against **prompt-injection data exfiltration** and **account/session compromise...
ChatGPT widens Lockdown Mode and Active Sessions to reduce prompt-injection exfiltration and session compromise
Security Tool/ServiceAbout this happening: **ChatGPT** is expanding access to **Lockdown Mode** and **Active Sessions**, tightening protection against **prompt-injection data exfiltration** and **account/session compromise...
EvilTokens Microsoft 365 consent phishing campaign
Campaign
H score41
First: 19.05.2026 14:30
Last: 19.05.2026 14:30
Sources 1
About this happening:
The **EvilTokens** campaign rapidly compromised **more than 340 Microsoft 365 organizations** across **five countries**, showing how **OAuth grant abuse** can bypass **MFA** and c...
EvilTokens Microsoft 365 consent phishing campaign
CampaignAbout this happening: The **EvilTokens** campaign rapidly compromised **more than 340 Microsoft 365 organizations** across **five countries**, showing how **OAuth grant abuse** can bypass **MFA** and c...
W3LL Microsoft 365 adversary-in-the-middle phishing campaign
Campaign
H score42
First: 13.04.2026 21:55
Last: 13.04.2026 21:55
Sources 1
About this happening:
The **W3LL** phishing operation turned into a high-volume **Microsoft 365** credential-theft campaign, exposing **more than 17,000 victims worldwide** to **BEC** risk. The kit use...
W3LL Microsoft 365 adversary-in-the-middle phishing campaign
CampaignAbout this happening: The **W3LL** phishing operation turned into a high-volume **Microsoft 365** credential-theft campaign, exposing **more than 17,000 victims worldwide** to **BEC** risk. The kit use...
Phishing-resistant authentication to block post-breach credential abuse and relay attacks
Defensive Guidance
H score30
First: 09.04.2026 17:02
Last: 09.04.2026 17:02
Sources 1
About this happening:
**Phishing-resistant authentication** is being emphasized as the control that can stop post-breach account takeover when exposed email records fuel **credential stuffing**, **AiTM...
Phishing-resistant authentication to block post-breach credential abuse and relay attacks
Defensive GuidanceAbout this happening: **Phishing-resistant authentication** is being emphasized as the control that can stop post-breach account takeover when exposed email records fuel **credential stuffing**, **AiTM...
Timeline
-
18.11.2025 17:01 2 articles · 6mo ago
FIDO2 hardware identity recommended against Tycoon 2FA relay phishing
Mitigation Patch UpdateEnterprises using Microsoft 365 or Gmail are urged to replace relayable MFA and authenticator-app workflows with FIDO2 hardware-based biometric identity that is proximity based and domain bound, because Tycoon 2FA can proxy MFA flows, capture session cookies, and enable full session takeover followed by lateral movement into SharePoint, OneDrive, email, Teams, HR systems, and finance systems.
Show sources
- Tycoon 2FA and the Collapse of Legacy MFA — www.bleepingcomputer.com — 18.11.2025 17:01
- Tycoon 2FA and the Collapse of Legacy MFA — www.bleepingcomputer.com — 18.11.2025 17:01