Tycoon 2FA-Storm-1747 ecosystem shift changes threat-actor operations
Threat Actor Meta
Summary
Hide ▲
Show ▼
Tycoon2FA has evolved from a subscription-based PhaaS into a more resilient phishing service that now supports device-code phishing against Microsoft 365 accounts. After an international law enforcement operation in March, the kit was rebuilt on new infrastructure and returned to regular activity, then added new obfuscation and anti-analysis layers. By late April and again in the latest reporting, it was observed abusing the OAuth 2.0 device authorization grant and Trustifi click-tracking URLs to steer victims through a fake Microsoft login flow and steal OAuth tokens.
Related Happenings
O-UNC-066 / Pink Microsoft Entra passkey vishing campaign
Campaign
H score37
First: 08.07.2026 19:47
Last: 08.07.2026 19:47
Sources 1
About this happening:
The **O-UNC-066 / Pink** operation is using **voice-based phishing** to push **Microsoft 365** users into enrolling attacker-controlled **Entra passkeys**, creating a direct path...
O-UNC-066 / Pink Microsoft Entra passkey vishing campaign
CampaignAbout this happening: The **O-UNC-066 / Pink** operation is using **voice-based phishing** to push **Microsoft 365** users into enrolling attacker-controlled **Entra passkeys**, creating a direct path...
UNK_MassTraction Roundcube university exploitation campaign
Campaign
H score41
First: 07.07.2026 12:10
Last: 07.07.2026 12:10
Sources 1
About this happening:
The **UNK_MassTraction** campaign is a **China-linked** activity targeting **Roundcube** webmail at **U.S. and Canadian universities** and related research organizations to steal...
UNK_MassTraction Roundcube university exploitation campaign
CampaignAbout this happening: The **UNK_MassTraction** campaign is a **China-linked** activity targeting **Roundcube** webmail at **U.S. and Canadian universities** and related research organizations to steal...
Meta For Business Facebook Messenger fake-verification phishing campaign
Campaign
H score29
First: 07.07.2026 10:00
Last: 07.07.2026 10:00
Sources 1
About this happening:
A **phishing campaign** abused **Facebook Messenger chatbots** and fake verification lures to steal **Meta For Business** credentials and sensitive identity data, creating account...
Meta For Business Facebook Messenger fake-verification phishing campaign
CampaignAbout this happening: A **phishing campaign** abused **Facebook Messenger chatbots** and fake verification lures to steal **Meta For Business** credentials and sensitive identity data, creating account...
Microsoft Azure CLI password-spray campaign using ROPC
Campaign
H score24
First: 01.07.2026 08:46
Last: 01.07.2026 08:46
Sources 1
About this happening:
A **massive automated password-spray campaign** against **Microsoft Azure CLI** compromised **at least 78 accounts** across **64 organizations**, expanding access risk across clou...
Microsoft Azure CLI password-spray campaign using ROPC
CampaignAbout this happening: A **massive automated password-spray campaign** against **Microsoft Azure CLI** compromised **at least 78 accounts** across **64 organizations**, expanding access risk across clou...
Booking.com partner accommodation phishing campaign targeting Japan
Campaign
H score32
First: 30.06.2026 13:30
Last: 30.06.2026 13:30
Sources 1
About this happening:
A **phishing campaign** is targeting **Booking.com partner accommodations in Japan** with guest-complaint and review-request lures that deliver **malicious files** for **TONResolv...
Booking.com partner accommodation phishing campaign targeting Japan
CampaignAbout this happening: A **phishing campaign** is targeting **Booking.com partner accommodations in Japan** with guest-complaint and review-request lures that deliver **malicious files** for **TONResolv...
Timeline
-
17.05.2026 17:43 1 articles · 1mo ago
Tycoon2FA adds device-code phishing against Microsoft 365
Technical Analysis UpdateeSentire says Tycoon2FA now uses device-code phishing to target Microsoft 365 accounts, with invoice-themed lure emails carrying Trustifi click-tracking URLs that redirect through Trustifi, Cloudflare Workers, obfuscated JavaScript layers, and a fake Microsoft CAPTCHA page before sending victims to microsoft.com/devicelogin. The kit also adds anti-analysis defenses, including detection of Selenium, Puppeteer, Playwright, and Burp Suite, plus blocks for security vendors, VPNs, sandboxes, AI crawlers, and cloud providers.
Show sources
- Tycoon2FA hijacks Microsoft 365 accounts via device-code phishing — www.bleepingcomputer.com — 17.05.2026 17:43
-
05.03.2026 08:51 2 articles · 4mo ago
Europol-led takedown dismantles Tycoon 2FA
Legal Policy Action UpdateEuropol and private-sector partners dismantled Tycoon 2FA, a subscription-based phishing-as-a-service toolkit used for adversary-in-the-middle credential harvesting and account takeover. The service first emerged in August 2023, was later tracked by Microsoft under the name Storm-1747, became the most prolific platform Microsoft observed in 2025, and was tied to over 64,000 phishing incidents, tens of millions of phishing emails each month, and unauthorized access to nearly 100,000 organizations globally. The platform captured credentials, MFA codes, and session cookies, forwarded stolen data to Telegram for near-real-time monitoring, used short-lived FQDNs on Cloudflare, and targeted sectors including education, healthcare, finance, non-profit, and government; the operation also took down 330 domains used by the service.
Show sources
- Europol-Led Operation Takes Down Tycoon 2FA Phishing-as-a-Service Linked to 64,000 Attacks — thehackernews.com — 05.03.2026 08:51
- Europol-Led Operation Takes Down Tycoon 2FA Phishing-as-a-Service Linked to 64,000 Attacks — thehackernews.com — 05.03.2026 08:51