141/69 Wedesday, March 11, 2026
Law enforcement agencies led by Europol, in collaboration with Microsoft and several industry partners, have successfully dismantled the infrastructure behind Tycoon 2FA, a major Phishing-as-a-Service (PhaaS) platform used to send tens of millions of phishing emails targeting more than 500,000 organizations worldwide. According to reports, by mid-2025 the service accounted for 62% of all phishing attempts detected and blocked by Microsoft, with some months seeing more than 30 million malicious emails generated through the platform.
Tycoon 2FA is considered one of the largest phishing operations currently active and has been linked to at least 96,000 victims worldwide since 2023, including more than 55,000 Microsoft customers. The platform was widely used by cybercriminals to impersonate legitimate users and steal access to email accounts and critical online services such as Microsoft 365, Microsoft Outlook, and Gmail. Attackers employed advanced evasion techniques, including rotating URLs through open-redirect vulnerabilities on third-party websites and leveraging Cloudflare Workers to conceal their infrastructure.
A key characteristic of Tycoon 2FA was its continuous development and the integration of multiple techniques to scale phishing campaigns globally, including distribution through PDF attachments and QR codes. The disruption of this infrastructure is therefore highly significant, as it removes a major channel used for account takeover attacks and helps reduce the risk of follow-on threats such as data theft, ransomware attacks, business email compromise (BEC), and financial fraud.