SecurityBrief Australia - Technology news for CISOs & cybersecurity decision-makers
Australia
Dark cyber fraud desk with shields and law enforcement servers
#
Ransomware
#
MFA
#
Crypto

Microsoft & Europol disrupt global Tycoon 2FA scam

Fri, 6th Mar 2026
Author image
By Mark Tarre, News Chief

Microsoft, Europol, and a group of security and technology firms have disrupted Tycoon 2FA, a phishing service linked to tens of thousands of victims worldwide and widespread online impersonation fraud.

Under court authorisation, Microsoft seized more than 300 domains used in Tycoon 2FA's infrastructure. The operation took over 330 active domains, including sites used for control panels and fraudulent login pages.

Tycoon 2FA has operated since at least 2023 and has been used by thousands of cybercriminals, according to Microsoft. It was linked to more than 96,000 distinct phishing victims globally, including more than 55,000 Microsoft customers.

In Australia, the activity led to about 1,850 distinct phishing victims. Targets included businesses, schools, hospitals, and public institutions.

Service model

Tycoon 2FA did not run as a single phishing campaign. Instead, it functioned as a service that other criminals could use for account takeover attempts at scale.

Unlike conventional phishing kits, it intercepted live authentication sessions in real time, Microsoft said. It captured one-time passcodes and active session cookies, which attackers could then use to access online accounts even when multi-factor authentication was enabled.

The service was used against platforms such as Microsoft 365, Outlook, and Gmail, according to Microsoft. It was also linked to large volumes of malicious messages, with tens of millions of fraudulent emails reaching more than 500,000 organisations worldwide each month.

Scale of harm

By mid-2025, Tycoon 2FA accounted for about 62% of phishing attempts Microsoft said it blocked, including more than 30 million emails in a single month. Microsoft described it as one of the largest phishing operations globally.

Compromised accounts can lead to invoice fraud, data theft, ransomware, and business email compromise, Microsoft said.

Healthcare and education organisations were among the most frequent targets, according to Microsoft. Health-ISAC, a threat-sharing group for the health sector, said more than 100 of its members were successfully phished through Tycoon 2FA.

International action

The disruption involved Europol and industry partners including Cloudflare, Coinbase, Proofpoint, Intel471, TrendAI, the Shadowserver Foundation, Resecurity, eSentire, and Health-ISAC. Microsoft said this was the first time it coordinated with Europol's Cyber Intelligence Extension Programme, a framework for cross-border operations involving public and private sector organisations.

Law enforcement authorities in Latvia, Lithuania, Portugal, Poland, Spain, and the United Kingdom also seized infrastructure and took other operational measures linked to Tycoon 2FA, according to Microsoft.

Partner firms contributed different data and services. Cloudflare took down infrastructure outside US jurisdiction, Microsoft said. Shadowserver supported notifications to more than 200 computer emergency response teams worldwide. Coinbase helped trace the movement of stolen funds.

Operators and ecosystem

Microsoft said Tycoon 2FA operated as part of a wider "impersonation-for-hire" ecosystem, with a developer and other participants handling marketing, payments, and technical support. It named the primary developer as Saad Fridi, who it said is believed to be based in Pakistan.

Tycoon 2FA was also used alongside other illicit services that handled mass email delivery, malware distribution, hosting, and the sale of access, according to Microsoft. The company pointed to its earlier disruption of RedVDS, a provider of low-cost virtual machines that it said criminals paired with Tycoon 2FA for phishing campaigns.

Microsoft said investigators were unable to purchase access to Tycoon 2FA directly because the operator rejected attempts and required a trusted intermediary. It also said Tycoon 2FA's operator communicated with the now-arrested developer of another phishing tool, RaccoonO365.

The action against Tycoon 2FA forms part of a wider set of disruptions Microsoft has pursued against services it says enable initial access and impersonation. Over the past 18 months, Microsoft's Digital Crimes Unit has targeted services including Lumma Stealer, RaccoonO365, Fake ONNX (also known as "Caffeine"), and RedVDS.

Steven Masada, Assistant General Counsel at Microsoft's Digital Crimes Unit, described the consequences of such intrusions.

"In other cases, similar intrusions delayed paychecks, rerouted invoices, stole sensitive data, locked up entire networks, interrupted patient care, and strained already tight budgets at schools and critical services," said Steven Masada, Assistant General Counsel, Microsoft Digital Crimes Unit.

Masada said the company expected further efforts in this area of cybercrime.

"Microsoft will continue applying the lessons learned from Tycoon 2FA and prior disruptions to fragment the impersonation economy, limit scale, and make cybercrime riskier and less profitable," said Masada.

Related stories
Vodafone & Google Cloud launch AI & security tools
ISACA launches AI risk certification amid governance gap
Turning security into a story: How managed service providers use reporting to drive retention and revenue
Barracuda spots 7 million device code phishing attacks
CommBank deploys AI to spot emerging fraud patterns

Top stories

AI flaws & supply-chain risks top new pentesting report
Exclusive: Google Cloud on the road to autonomous SecOps
Zapier expands AI governance controls for enterprise users
Avatier launches offline card after Stryker cyberattack
Automotive microcontroller market set to hit USD $15.1bn