Tycoon 2FA phishing kit activity at enterprise scale
Malware Activity
Summary
Hide ▲
Show ▼
The Tycoon 2FA phishing kit is being used at scale to relay MFA and steal enterprise sessions, putting Microsoft 365 and Gmail users at risk. More than 64,000 attacks have already been tracked this year. The kit captures session cookies and proxies login flows directly to Microsoft or Google. That makes a single successful phish capable of enabling broad enterprise compromise.
Related Happenings
O-UNC-066 / Pink Microsoft Entra passkey vishing campaign
Campaign
H score37
First: 08.07.2026 19:47
Last: 08.07.2026 19:47
Sources 1
About this happening:
The **O-UNC-066 / Pink** operation is using **voice-based phishing** to push **Microsoft 365** users into enrolling attacker-controlled **Entra passkeys**, creating a direct path...
O-UNC-066 / Pink Microsoft Entra passkey vishing campaign
CampaignAbout this happening: The **O-UNC-066 / Pink** operation is using **voice-based phishing** to push **Microsoft 365** users into enrolling attacker-controlled **Entra passkeys**, creating a direct path...
Microsoft Azure CLI password-spray campaign using ROPC
Campaign
H score24
First: 01.07.2026 08:46
Last: 01.07.2026 08:46
Sources 1
About this happening:
A **massive automated password-spray campaign** against **Microsoft Azure CLI** compromised **at least 78 accounts** across **64 organizations**, expanding access risk across clou...
Microsoft Azure CLI password-spray campaign using ROPC
CampaignAbout this happening: A **massive automated password-spray campaign** against **Microsoft Azure CLI** compromised **at least 78 accounts** across **64 organizations**, expanding access risk across clou...
Bluekit adopts rrweb-based BitM session streaming for login theft
Technical Analysis
H score34
First: 25.06.2026 18:00
Last: 25.06.2026 18:00
Sources 1
About this happening:
**Bluekit** has added **browser-in-the-middle (BitM)** login theft to its phishing stack, increasing the risk of **session-token theft** and **account takeover**. The mechanism us...
Bluekit adopts rrweb-based BitM session streaming for login theft
Technical AnalysisAbout this happening: **Bluekit** has added **browser-in-the-middle (BitM)** login theft to its phishing stack, increasing the risk of **session-token theft** and **account takeover**. The mechanism us...
OpenClaw phishing simulations expose AI agent identity-verification failures
Technical Analysis
H score23
First: 10.06.2026 00:20
Last: 10.06.2026 00:20
Sources 1
About this happening:
Researchers found that **OpenClaw** email agents could be manipulated by **phishing simulations**, exposing gaps in **sender verification** and risky handling of sensitive data. I...
OpenClaw phishing simulations expose AI agent identity-verification failures
Technical AnalysisAbout this happening: Researchers found that **OpenClaw** email agents could be manipulated by **phishing simulations**, exposing gaps in **sender verification** and risky handling of sensitive data. I...
Enterprise browser users face a rising shadow AI, credential abuse, and browser-native attack trend
Trend
H score22
First: 05.06.2026 17:00
Last: 05.06.2026 17:00
Sources 1
About this happening:
**Enterprise users** are showing a sharp rise in **shadow AI**, **credential abuse**, and **browser-native attack exposure**, increasing risk at the browser layer. The trend matte...
Enterprise browser users face a rising shadow AI, credential abuse, and browser-native attack trend
TrendAbout this happening: **Enterprise users** are showing a sharp rise in **shadow AI**, **credential abuse**, and **browser-native attack exposure**, increasing risk at the browser layer. The trend matte...
Timeline
-
18.11.2025 17:01 2 articles · 7mo ago
Tycoon 2FA is described as a large-scale MFA relay phishing kit
Initial DisclosureTycoon 2FA is described as a turnkey Phishing as a Service kit that has enabled over 64,000 attacks this year, often against Microsoft 365 and Gmail, by relaying MFA in real time, capturing credentials and session cookies, and giving operators full session access that can extend into SharePoint, OneDrive, email, Teams, HR systems, and finance systems.
Show sources
- Tycoon 2FA and the Collapse of Legacy MFA — www.bleepingcomputer.com — 18.11.2025 17:01
- Tycoon 2FA and the Collapse of Legacy MFA — www.bleepingcomputer.com — 18.11.2025 17:01