Tycoon 2FA phishing kit activity at enterprise scale
Malware Activity
Summary
Hide ▲
Show ▼
The Tycoon 2FA phishing kit is being used at scale to relay MFA and steal enterprise sessions, putting Microsoft 365 and Gmail users at risk. More than 64,000 attacks have already been tracked this year. The kit captures session cookies and proxies login flows directly to Microsoft or Google. That makes a single successful phish capable of enabling broad enterprise compromise.
Related Happenings
OpenClaw phishing simulations expose AI agent identity-verification failures
Technical Analysis
H score23
First: 10.06.2026 00:20
Last: 10.06.2026 00:20
Sources 1
About this happening:
Researchers found that **OpenClaw** email agents could be manipulated by **phishing simulations**, exposing gaps in **sender verification** and risky handling of sensitive data. I...
OpenClaw phishing simulations expose AI agent identity-verification failures
Technical AnalysisAbout this happening: Researchers found that **OpenClaw** email agents could be manipulated by **phishing simulations**, exposing gaps in **sender verification** and risky handling of sensitive data. I...
Enterprise browser users face a rising shadow AI, credential abuse, and browser-native attack trend
Trend
H score22
First: 05.06.2026 17:00
Last: 05.06.2026 17:00
Sources 1
About this happening:
**Enterprise users** are showing a sharp rise in **shadow AI**, **credential abuse**, and **browser-native attack exposure**, increasing risk at the browser layer. The trend matte...
Enterprise browser users face a rising shadow AI, credential abuse, and browser-native attack trend
TrendAbout this happening: **Enterprise users** are showing a sharp rise in **shadow AI**, **credential abuse**, and **browser-native attack exposure**, increasing risk at the browser layer. The trend matte...
Google Chrome DBSC rolls out session-cookie theft protection for all users
Security Tool/Service
H score10
First: 29.05.2026 15:08
Last: 29.05.2026 15:08
Sources 1
About this happening:
Google's **Chrome Device Bound Session Credentials (DBSC)** is now **generally available** and rolling out to **all users**, reducing the risk of **account takeovers** from stolen...
Google Chrome DBSC rolls out session-cookie theft protection for all users
Security Tool/ServiceAbout this happening: Google's **Chrome Device Bound Session Credentials (DBSC)** is now **generally available** and rolling out to **all users**, reducing the risk of **account takeovers** from stolen...
AI chatbot cryptojacking campaign targeting high-performance GPU users
Campaign
H score51
First: 27.05.2026 10:45
Last: 27.05.2026 10:45
Sources 1
About this happening:
An active **cryptojacking campaign** is using **SEO poisoning** and, in some cases, **AI chatbot recommendations** to steer users toward malicious download pages for trusted utili...
AI chatbot cryptojacking campaign targeting high-performance GPU users
CampaignAbout this happening: An active **cryptojacking campaign** is using **SEO poisoning** and, in some cases, **AI chatbot recommendations** to steer users toward malicious download pages for trusted utili...
Kali365 Microsoft 365 device-code phishing campaign
Campaign
H score46
First: 25.05.2026 15:45
Last: 25.05.2026 15:45
Sources 1
About this happening:
A **Kali365** phishing campaign is targeting **Microsoft 365** environments worldwide with **device-code login lures**, putting accounts at risk of **token theft** and **MFA bypas...
Kali365 Microsoft 365 device-code phishing campaign
CampaignAbout this happening: A **Kali365** phishing campaign is targeting **Microsoft 365** environments worldwide with **device-code login lures**, putting accounts at risk of **token theft** and **MFA bypas...
Timeline
-
18.11.2025 17:01 2 articles · 7mo ago
Tycoon 2FA is described as a large-scale MFA relay phishing kit
Initial DisclosureTycoon 2FA is described as a turnkey Phishing as a Service kit that has enabled over 64,000 attacks this year, often against Microsoft 365 and Gmail, by relaying MFA in real time, capturing credentials and session cookies, and giving operators full session access that can extend into SharePoint, OneDrive, email, Teams, HR systems, and finance systems.
Show sources
- Tycoon 2FA and the Collapse of Legacy MFA — www.bleepingcomputer.com — 18.11.2025 17:01
- Tycoon 2FA and the Collapse of Legacy MFA — www.bleepingcomputer.com — 18.11.2025 17:01