John Z Black
Brunswick, ME • (207) 245-1010 • contact@johnzblack.com
On March 4, Europol and Microsoft seized 330 domains tied to Tycoon2FA, one of the most active phishing-as-a-service platforms targeting Microsoft 365 users. The headlines called it a significant disruption.
For about 48 hours, it was. Then Tycoon2FA came back.
Here’s the detail that tells the whole story: of the 11 IPv6 addresses observed in Tycoon2FA activity during March, 8 were registered on or after March 1. Three days before the takedown. The operators knew it was coming and pre-staged backup infrastructure before Europol touched the first domain.
Volumes dropped to roughly 25% of normal on March 4 and 5. By the following week, activity was back to the early-2026 baseline. Thirty incidents were responded to in the 48 hours after the disruption.
The platform was generating around 30 million phishing emails per month and accounted for 62% of all phishing blocked by Microsoft. It uses adversary-in-the-middle techniques: sitting as a proxy between the victim and a legitimate Microsoft login, capturing session tokens in real time. MFA doesn’t stop it. The victim completes their MFA prompt and the platform has already captured the authenticated session.
Post-disruption, analysts also spotted something new: AI-generated decoy pages in the rebuilt infrastructure. Not hand-crafted fakes. Machine-generated, visually convincing lures built to scale. The platform didn’t just survive the takedown; it came back with better tooling.
The pattern here is consistent. Infrastructure seizures disrupt. They don’t shut things down. When you take servers and the people walk away free, they rebuild. Arrests change this. Tycoon2FA’s operators are still free.
On the defender side, Microsoft started rolling out a Conditional Access change on March 27 that closes a gap where OIDC-only sign-ins could bypass MFA and device compliance policies. Audit your OIDC-connected applications and check your Conditional Access policies actually cover them.