According to Microsoft, MFA can block more than 99.2% of account-compromise attacks – making it a strong defense against phishing.
But MFA isn’t as secure as you thought. A new kit, Tycoon 2FA, turns it into a weakness attackers can exploit. In January 2025 alone, Tycoon 2FA made up 89% of phishing-as-a-service incidents. Knowing how it works is key to protecting your accounts.
Let’s find out how Tycoon 2FA works, why it’s hard to stop and what you can do to stay safe.
What is Tycoon 2FA?
Tycoon 2FA is a phishing-as-a-service kit that captures your login details and MFA codes in real time, allowing attackers to bypass your account security.
How Tycoon 2FA Works
Tycoon 2FA works by sitting between you and the real website you’re trying to log in to. When you click the attacker’s link, you’re taken to a fake (but genuine-looking) page. Anything you type there – username, password, and MFA code – is instantly sent to the attacker.
They use these details immediately on the real site, logging in as you while your MFA code is still valid. In many cases, they also steal your active session so they can stay logged in without needing more codes later.
Tycoon 2FA is reportedly sold on a subscription basis for as little as $120 for 10 days of use. This low price point means that sophisticated MFA bypass attacks are no longer limited to highly skilled hackers, making the threat more widespread and dangerous.
Examples of Tycoon 2FA Attacks
The Tycoon 2FA kit is a tool used for different campaigns. Here are some of the common examples observed by cybersecurity researchers:
- Fake Microsoft 365 and Gmail Login Pages: The most common use of the kit is to create convincing fake login pages for these popular services.
- Corporate Lures: Attackers often use payroll, bonus, or fake voicemail alerts to trick employees into clicking links.
- QR Code Phishing (Quishing): Attackers embed QR codes in emails that, when scanned, lead to the phishing page, a technique that often bypasses traditional email security filters.
Why Tycoon 2FA Is Hard to Detect
Tycoon 2FA uses advanced phishing techniques that make it harder to spot than traditional scams. Instead of sending you to a completely fake site with obvious red flags, it acts as a “man-in-the-middle,” passing your real login session through to the legitimate website. This means:
- The URL can look convincing – often using typosquatting (slightly altered domain names) or compromised legitimate sites.
- SSL certificates can appear valid – making the browser display the familiar padlock icon.
This level of authenticity can trick even cautious users, especially when paired with well-crafted phishing emails, texts, or social media messages.
How to Protect Yourself from Tycoon 2FA
Defending against Tycoon 2FA means going beyond just using MFA. Here are steps you can take:
Use phishing-resistant MFA
Hardware security keys (like YubiKey or Google Titan) or passkeys that can't be intercepted in the same way as SMS or app-based codes.
Check links before you click
Hover over links in emails or messages to make sure the URL matches the official site, and watch for typosquatting (e.g., “micros0ft.com” instead of “microsoft.com”).
Type the address yourself
When in doubt, open a new browser tab and type the website address instead of following a link.
Don’t trust the padlock alone
A valid SSL certificate only means the connection is encrypted, not that the site is safe.
Use security software
Modern antivirus and browser extensions can block known phishing sites before you enter your details.
Be updated
Keep your browser, operating system, and apps patched to reduce vulnerabilities attackers might exploit.
Tycoon 2FA shows that attackers are always finding new ways to get around even the strongest protections. Knowing how these scams work – and putting the right defences in place – makes all the difference.
To learn how we can help you implement phishing-resistant MFA and other advanced security measures to protect your organization from threats like Tycoon 2FA, get in touch with us today.