Tycoon 2FA-Storm-1747 ecosystem shift changes threat-actor operations
Threat Actor Meta
Summary
Hide ▲
Show ▼
Tycoon2FA has evolved from a subscription-based PhaaS into a more resilient phishing service that now supports device-code phishing against Microsoft 365 accounts. After an international law enforcement operation in March, the kit was rebuilt on new infrastructure and returned to regular activity, then added new obfuscation and anti-analysis layers. By late April and again in the latest reporting, it was observed abusing the OAuth 2.0 device authorization grant and Trustifi click-tracking URLs to steer victims through a fake Microsoft login flow and steal OAuth tokens.
Related Happenings
PureLogs infostealer purchase-order phishing delivery chain
Malware Activity
First: 27.05.2026 11:00
Last: 27.05.2026 11:00
Sources 1
About this happening:
The **PureLogs** infostealer is being delivered through **purchase-order-themed phishing emails**, creating a **Windows** infection chain that steals **browser credentials**, **Di...
PureLogs infostealer purchase-order phishing delivery chain
Malware ActivityAbout this happening: The **PureLogs** infostealer is being delivered through **purchase-order-themed phishing emails**, creating a **Windows** infection chain that steals **browser credentials**, **Di...
Kali365 Microsoft 365 device-code phishing campaign
Campaign
First: 25.05.2026 15:45
Last: 25.05.2026 15:45
Sources 1
About this happening:
A **Kali365** phishing campaign is targeting **Microsoft 365** environments worldwide with **device-code login lures**, putting accounts at risk of **token theft** and **MFA bypas...
Kali365 Microsoft 365 device-code phishing campaign
CampaignAbout this happening: A **Kali365** phishing campaign is targeting **Microsoft 365** environments worldwide with **device-code login lures**, putting accounts at risk of **token theft** and **MFA bypas...
Infostealer malware operation targeting online store users
Malware Activity
First: 21.05.2026 00:36
Last: 21.05.2026 00:36
Sources 1
About this happening:
A **malware operation** using **infostealer** tools infected users’ devices between **2024 and 2025**, stealing browser sessions and account credentials that enabled account theft...
Infostealer malware operation targeting online store users
Malware ActivityAbout this happening: A **malware operation** using **infostealer** tools infected users’ devices between **2024 and 2025**, stealing browser sessions and account credentials that enabled account theft...
CypherLoc phishing-led browser scareware campaign
Campaign
First: 20.05.2026 13:00
Last: 20.05.2026 13:00
Sources 1
About this happening:
The **CypherLoc** operation has driven **around 2.8 million attacks** since the start of **2026**, using **phishing emails** to send users to malicious pages that lock browsers an...
CypherLoc phishing-led browser scareware campaign
CampaignAbout this happening: The **CypherLoc** operation has driven **around 2.8 million attacks** since the start of **2026**, using **phishing emails** to send users to malicious pages that lock browsers an...
Storm-2949 Microsoft 365 and Azure data-theft campaign
Campaign
First: 19.05.2026 22:35
Last: 19.05.2026 22:35
Sources 1
About this happening:
The **Storm-2949** campaign is targeting **Microsoft 365 and Azure production environments** to steal sensitive data, increasing the risk of privileged-account takeover and cloud...
Storm-2949 Microsoft 365 and Azure data-theft campaign
CampaignAbout this happening: The **Storm-2949** campaign is targeting **Microsoft 365 and Azure production environments** to steal sensitive data, increasing the risk of privileged-account takeover and cloud...
Timeline
-
17.05.2026 17:43 1 articles · 10d ago
Tycoon2FA adds device-code phishing against Microsoft 365
Technical Analysis UpdateeSentire says Tycoon2FA now uses device-code phishing to target Microsoft 365 accounts, with invoice-themed lure emails carrying Trustifi click-tracking URLs that redirect through Trustifi, Cloudflare Workers, obfuscated JavaScript layers, and a fake Microsoft CAPTCHA page before sending victims to microsoft.com/devicelogin. The kit also adds anti-analysis defenses, including detection of Selenium, Puppeteer, Playwright, and Burp Suite, plus blocks for security vendors, VPNs, sandboxes, AI crawlers, and cloud providers.
Show sources
- Tycoon2FA hijacks Microsoft 365 accounts via device-code phishing — www.bleepingcomputer.com — 17.05.2026 17:43
-
05.03.2026 08:51 2 articles · 2mo ago
Europol-led takedown dismantles Tycoon 2FA
Legal Policy Action UpdateEuropol and private-sector partners dismantled Tycoon 2FA, a subscription-based phishing-as-a-service toolkit used for adversary-in-the-middle credential harvesting and account takeover. The service first emerged in August 2023, was later tracked by Microsoft under the name Storm-1747, became the most prolific platform Microsoft observed in 2025, and was tied to over 64,000 phishing incidents, tens of millions of phishing emails each month, and unauthorized access to nearly 100,000 organizations globally. The platform captured credentials, MFA codes, and session cookies, forwarded stolen data to Telegram for near-real-time monitoring, used short-lived FQDNs on Cloudflare, and targeted sectors including education, healthcare, finance, non-profit, and government; the operation also took down 330 domains used by the service.
Show sources
- Europol-Led Operation Takes Down Tycoon 2FA Phishing-as-a-Service Linked to 64,000 Attacks — thehackernews.com — 05.03.2026 08:51
- Europol-Led Operation Takes Down Tycoon 2FA Phishing-as-a-Service Linked to 64,000 Attacks — thehackernews.com — 05.03.2026 08:51