We used to believe MFA was the ultimate line of defense. Then phishing kits like Tycoon 2FA showed up and proved otherwise.
Unlike the crude clones of years past, Tycoon 2FA leverages Adversary-in-the-Middle (AiTM) tactics to seamlessly intercept credentials and MFA tokens in real time. It looks polished, behaves like the real thing, and operates with the sophistication of a commercial SaaS platform. That’s because it is one — at least to the right Telegram channel.
Behind this increasingly popular phishing-as-a-service (PhaaS) platform is a financially motivated threat actor Microsoft tracks as Storm-1747. They aren’t just running phishing campaigns — they’re franchising them.
Let’s break down how Tycoon 2FA works, what makes Storm-1747 so dangerous, and what defenders need to understand about this new breed of phishing infrastructure.
The Rise of Storm-1747
Storm-1747 is Microsoft’s internal designation for a financially motivated group responsible for the creation and operation of Tycoon 2FA. Their goal isn’t espionage — it’s scalable credential theft and resale.
They lease access to the kit via private Telegram channels, maintain a robust update cycle, and provide full customer support. And it pays: blockchain analysis shows their associated BTC wallets have handled nearly $400,000 worth of transactions since 2019.
What makes them dangerous isn’t just their tooling — it’s their ability to commercialize it. They’ve made MFA bypass something you can subscribe to for $120.
How Tycoon 2FA Bypasses MFA in Real Time
At a technical level, Tycoon 2FA functions as a reverse proxy — sitting between the victim and a legitimate login page (like Microsoft 365 or Gmail). The victim doesn’t realize it, but they’re interacting with a man-in-the-middle server that’s capturing everything they type.
First, the victim is lured via email to a link that passes through a legitimate redirector — often Glitch.me, Google Sites, or Notion — before landing on a visually perfect replica of their organization’s login page.
The user enters their username and password, which are proxied to the real site. Then they enter their MFA code — and that, too, is passed through. In the background, the attacker receives a valid session token (like a SAPISID, SAML, or Bearer cookie), which they can reuse to access the account without needing the credentials or MFA again.
At that point, it’s game over.
Under the Hood: How Tycoon’s Reverse Proxy Really Works
Tycoon 2FA may resemble other AiTM phishing kits on the surface, but its internals are far more advanced.
• Header Rewriting: The kit dynamically adjusts Referer, Origin, and Host headers to bypass browser same-origin policies and avoid cross-domain warnings.
• Cookie Theft Optimization: After login, Set-Cookie headers from the real service are intercepted. Tycoon strips security flags (HttpOnly, Secure) to make them accessible for exfiltration.
• TLS Abuse: Attackers often use Let’s Encrypt to generate legitimate-looking TLS certificates for phishing domains like login-m365[.]su, avoiding browser alerts.
• Client-Side Stealth: The phishing page blocks right-clicks, disables keyboard shortcuts, and embeds JavaScript that detects and breaks DevTools, making real-time inspection frustrating for defenders.
• Browser-Based Only: No executables. No malware. Just pure session hijacking via the browser, which makes endpoint security almost irrelevant.
Storm-1747 has turned the browser into the battlefield — and they’ve done it without triggering traditional security controls.
Real-World Case: A Financial Firm Falls to Tycoon 2FA
This isn’t theoretical — organizations are actively being breached with this kit.
In early 2025, a mid-sized financial services firm was targeted in a campaign using the Tycoon 2FA phishing kit. Employees received convincing phishing emails impersonating internal departments. The messages included links to what appeared to be standard Microsoft login portals.
Once users clicked the link, they were taken to a near-identical login page hosted via a newly registered .com domain — but powered by Tycoon 2FA. Victims entered both their credentials and their MFA passcodes, unknowingly handing over a live session to the attacker.
But what made this attack particularly successful was Tycoon’s evasion layer: the kit blocked browser inspection tools, disabled right-clicking, and cloaked its source code with Unicode obfuscation. Even security analysts initially struggled to reverse the attack in real time.
Within minutes, attackers had access to inboxes and internal file repositories. They began exfiltrating sensitive client data using authenticated sessions that bypassed all further MFA challenges.
This was not a sophisticated zero-day. It was an off-the-shelf phishing kit with MFA bypass as a feature.
Infrastructure & IOCs: A Constantly Shifting Attack Surface
Storm-1747 has invested heavily in making Tycoon 2FA scalable and resilient. Their infrastructure is vast, fast-moving, and intentionally volatile — designed to stay one step ahead of takedown requests and blocklists.
Domain Strategy
Researchers have attributed over 1,200 domains to Tycoon 2FA campaigns since mid-2023. These domains are often:
• Short-lived (rotated every 7–14 days)
• Registered with privacy protection
• Mimicking Microsoft, Google, or Okta login portals
Common TLDs used:
• .ru
• .xyz
• .su
• .online
• .store
Tycoon domains often use homoglyph attacks to mimic legitimate brands (e.g., rnicrosoft-support[.]com).
Hosting & Backends
• Frequently hosted on bulletproof VPS providers in Eastern Europe and Southeast Asia.
• Occasionally routed through Cloudflare to mask origin IPs and absorb traffic spikes.
• Backend logging scripts typically include:
• res444.php
• cllascio.php
• .000.php
These endpoints handle cookie exfiltration, device fingerprinting, and sometimes full proxy logs.
Notable IOCs
| Type | Value |
| Domain | m365-verification[.]ru |
| Domain | authportal-gmail[.]org |
| Domain | tycoonkit-login[.]su |
| IP | 185.231.204.77 |
| IP | 193.124.182.69 |
| File Path | /cllascio.php |
Storm-1747 also uses Telegram bots for real-time alerting when a victim enters credentials, allowing attackers to act before token expiration.
From Fork to Franchise: The Evolution of Storm-1747
Storm-1747 didn’t build Tycoon 2FA from scratch — they refined it.
Earlier builds shared several payload names, functions, and front-end design cues with another popular phishing kit called Dadsec. Security researchers believe Tycoon may have started as a fork of Dadsec’s codebase before branching out into a more stable, commercially viable tool.
By mid-2023, Tycoon 2FA had matured significantly:
• Improved proxy reliability and session handling
• Better anti-analysis techniques
• Regular biweekly updates with release notes and bug fixes
• An interface simple enough for non-technical actors to deploy
Today, Storm-1747 continues to release versioned updates via their Telegram channels. These releases often incorporate customer feedback, optimize evasion logic, and expand compatibility with different services (e.g., Google Workspace, Okta, Outlook Web Access).
In short: Tycoon isn’t a tool — it’s a product line.
Inside the Telegram Marketplace
Tycoon 2FA’s distribution is as slick as its engineering. Everything is sold and supported through private Telegram groups that act like customer portals.
A typical listing looks like this:
“TYCOON 2FA v4.1 – Works with M365, Gmail, Outlook, GWS
🧪 Bypass MFA with valid cookies
🔐 CAPTCHA / Unicode / Anti-Debug ready
📡 Real-time logs via bot
💸 $120 = 10 Days | $300 = Monthly
🧰 DM for panels, builds, FAQ”**
Buyers get access to preconfigured phishing templates, anti-bot modules, and step-by-step deployment guides. Premium buyers receive one-on-one support and infrastructure tips (like VPS providers that won’t take down abuse complaints quickly).
Storm-1747 runs the entire ecosystem like a business — complete with customer tiers, update cycles, and limited slots to maintain “exclusivity.”
This is what phishing looks like in the SaaS era.
What Security Teams Need to Do
Let’s be blunt: TOTP and push-based MFA are no longer enough. Here’s what defenders need to prioritize now:
1. Deploy Phishing-Resistant MFA
Switch to FIDO2/WebAuthn wherever possible. Keys like YubiKeys prevent token theft via proxy because the cryptographic challenge is bound to the legitimate domain.
2. Monitor for Session Hijacking
Track logins that don’t trigger an MFA event. Look for simultaneous logins from far-apart geographies. Reuse of session cookies is a major red flag.
3. Audit OAuth App Registrations
One common move post-breach is to register malicious OAuth apps. Flag new apps and monitor for rare scopes or user consent grants.
4. Watch for Fast-Flux Domain Behavior
Storm-1747 rapidly rotates infrastructure. Use passive DNS tools to track newly registered domains (NRDs), especially those impersonating login pages.
5. Train for AiTM Phishing
Simulate adversary-in-the-middle phishing attacks in your training programs. Teach users to check domain names and watch for subtle redirects.
Final Thoughts
Tycoon 2FA isn’t just bypassing MFA. It’s bypassing our assumptions about what a phishing attack looks like.
With a few clicks and a couple hundred dollars, an adversary can launch an attack that defeats MFA, evades detection, and compromises enterprise accounts — all with out-of-the-box tooling and step-by-step guides.
Storm-1747 isn’t trying to breach your organization. They’re enabling anyone to do it.
If we’re going to stay ahead, we need to think like attackers — and stop thinking that MFA alone will save us.
