The article analyzes Tycoon2FA, a phishing-as-a-service platform that enabled large-scale adversary-in-the-middle (AiTM) attacks capable of bypassing multifactor authentication. It explains how the service intercepted login credentials and session cookies through proxy phishing pages that mimicked services such as Microsoft 365 and Gmail. The platform included evasion techniques and user-friendly infrastructure, enabling less-skilled attackers to run campaigns that reached hundreds of thousands of organizations each month. The article concludes with guidance on layered defenses, including improved authentication methods, phishing detection, and coordinated disruption efforts.
