FIDO2 hardware-based biometric identity guidance to resist Tycoon 2FA relay phishing
Defensive Guidance
Summary
Hide ▲
Show ▼
A new defensive posture centers on FIDO2 hardware-based biometric identity to blunt Tycoon 2FA-style phishing that relays MFA and steals session cookies. The control matters because it is proximity based and domain bound, reducing exposure to fake-login relays that defeat codes and push prompts. By binding authentication to a physical device and live biometric match, it blocks the user-driven decision points attackers exploit. That makes it a practical replacement for legacy MFA in relay-heavy phishing scenarios.
Related Happenings
O-UNC-066 / Pink Microsoft Entra passkey vishing campaign
Campaign
H score37
First: 08.07.2026 19:47
Last: 08.07.2026 19:47
Sources 1
About this happening:
The **O-UNC-066 / Pink** operation is using **voice-based phishing** to push **Microsoft 365** users into enrolling attacker-controlled **Entra passkeys**, creating a direct path...
O-UNC-066 / Pink Microsoft Entra passkey vishing campaign
CampaignAbout this happening: The **O-UNC-066 / Pink** operation is using **voice-based phishing** to push **Microsoft 365** users into enrolling attacker-controlled **Entra passkeys**, creating a direct path...
BEC defensive guidance for exposed-credential and account-misuse risk
Defensive Guidance
H score14
First: 30.06.2026 17:00
Last: 30.06.2026 17:00
Sources 1
About this happening:
**BEC defenders** are being pushed toward tighter **training** and **account-response controls** as operators combine **AI-generated business correspondence**, **call-center press...
BEC defensive guidance for exposed-credential and account-misuse risk
Defensive GuidanceAbout this happening: **BEC defenders** are being pushed toward tighter **training** and **account-response controls** as operators combine **AI-generated business correspondence**, **call-center press...
Service desk social engineering defenses tighten identity verification for password resets and MFA changes
Defensive Guidance
H score17
First: 24.06.2026 17:02
Last: 24.06.2026 17:02
Sources 1
About this happening:
**Service desk identity verification** is being tightened against **social engineering attacks**, reducing impersonation-driven account takeover and unauthorized access across cor...
Service desk social engineering defenses tighten identity verification for password resets and MFA changes
Defensive GuidanceAbout this happening: **Service desk identity verification** is being tightened against **social engineering attacks**, reducing impersonation-driven account takeover and unauthorized access across cor...
AI agent phishing controls for sender verification, external-recipient approval, and internal data restriction
Defensive Guidance
H score28
First: 10.06.2026 00:20
Last: 10.06.2026 00:20
Sources 1
About this happening:
A simulated phishing test showed that an **OpenClaw** AI email agent could be induced to expose **credentials** and **customer data**, increasing the risk of **phishing-driven dat...
AI agent phishing controls for sender verification, external-recipient approval, and internal data restriction
Defensive GuidanceAbout this happening: A simulated phishing test showed that an **OpenClaw** AI email agent could be induced to expose **credentials** and **customer data**, increasing the risk of **phishing-driven dat...
ChatGPT widens Lockdown Mode and Active Sessions to reduce prompt-injection exfiltration and session compromise
Security Tool/Service
H score10
First: 08.06.2026 11:32
Last: 08.06.2026 11:32
Sources 1
About this happening:
**ChatGPT** is expanding access to **Lockdown Mode** and **Active Sessions**, tightening protection against **prompt-injection data exfiltration** and **account/session compromise...
ChatGPT widens Lockdown Mode and Active Sessions to reduce prompt-injection exfiltration and session compromise
Security Tool/ServiceAbout this happening: **ChatGPT** is expanding access to **Lockdown Mode** and **Active Sessions**, tightening protection against **prompt-injection data exfiltration** and **account/session compromise...
Timeline
-
18.11.2025 17:01 2 articles · 7mo ago
FIDO2 hardware identity recommended against Tycoon 2FA relay phishing
Mitigation Patch UpdateEnterprises using Microsoft 365 or Gmail are urged to replace relayable MFA and authenticator-app workflows with FIDO2 hardware-based biometric identity that is proximity based and domain bound, because Tycoon 2FA can proxy MFA flows, capture session cookies, and enable full session takeover followed by lateral movement into SharePoint, OneDrive, email, Teams, HR systems, and finance systems.
Show sources
- Tycoon 2FA and the Collapse of Legacy MFA — www.bleepingcomputer.com — 18.11.2025 17:01
- Tycoon 2FA and the Collapse of Legacy MFA — www.bleepingcomputer.com — 18.11.2025 17:01