Hello again! I'm writing to brief you on a significant and fast-evolving cyber threat affecting organisations that rely on cloud authentication and multi-factor protection.

The Tycoon 2FA phishing kit represents a meaningful shift in how attackers can bypass MFA, and it is important that all organisations understand the risk and strengthen their defences accordingly.

What has happened

Tycoon 2FA is a commercially available phishing toolkit that takes the old idea of a fake login page and supercharges it. It uses an Adversary-in-the-Middle approach that quietly places a malicious proxy between the user and the genuine login portal. This allows attackers to scoop up passwords, one-time codes and, most worrying of all, the authenticated session cookies that let them walk straight into cloud accounts without ever completing MFA themselves.

What makes Tycoon particularly concerning is how polished and accessible it is. This isn’t a tool reserved for highly skilled criminals any more - the barrier to entry is so low that, frankly, any motivated teenager could adopt it and start sending believable phishing links to your organisation.

The kit automatically spins up the reverse-proxy infrastructure needed to intercept authentication flows, handles the relaying of MFA prompts in real time, and presents cloned login screens that are almost indistinguishable from the real thing. It even comes with user guides, step-by-step setup instructions and, unbelievably, its own form of “technical support” for attackers who get stuck.

Enhanced evasion features mean Tycoon can slip past many traditional detection methods, and its automation makes the whole process point-and-click easy. The result is a tool that can deceive even well-trained users and give attackers immediate access to cloud services once the session is captured.

How this may affect you

Tycoon targets Microsoft and Google accounts primarily.

Your organisation is vulnerable if it relies on SMS or App Notifications.. Yep thats going to be most organisations, possibly yours too.

The main risks include:

• Attackers gaining full account access despite correct MFA use

• Session takeover that persists even if passwords are reset

• Potential for mailbox rule creation, privilege escalation and lateral movement

• Reduced effectiveness of older MFA methods such as SMS codes or basic app prompts

The threat does not mean you should abandon MFA — it means the definition of strong MFA has evolved. Attackers are no longer simply stealing passwords, but hijacking the authenticated session itself.

Kafico’s position and recommended actions

We recommend the following proactive steps to keep your organisation out of Tycoon’s reach and stay ahead of modern MFA-bypass attacks. None of this is about panic — it’s about sensible, layered protection that actually works in the real world.

Adopt phishing-resistant MFA

If your MFA method can be tricked, relayed or proxied, attackers will eventually find a way around it. Hardware security keys and modern FIDO2-based authentication are far more resilient because they can’t be replayed through a fake login page. Think of them as the difference between a key that can be copied at Timpson’s and one that self-destructs if someone even looks at it funny.

What the heck is a FIDO Key?

Assume MFA bypass is possible and build layers accordingly

This is the mindset shift. Don’t treat MFA as a magic shield — treat it as one layer among many.Strengthen monitoring so you can spot the oddities: unusual login behaviour, impossible travel, new devices appearing out of nowhere or suspicious session reuse. Lock down high-privilege accounts with extra checks and tighter rules, because they’re always the prize.

Strengthen user awareness

Your people are your first and best defence. Make sure they know that phishing pages are no longer the obvious, badly designed traps they once were. Attackers can now produce login screens that look pixel-perfect. Encourage staff to slow down, sense-check what they’re clicking and report anything that feels even slightly off. A quick “this looks weird” message can save an entire organisation.

Review incident handling around identity compromise

If an attacker does manage to slip through, speed matters.Make sure you can revoke active sessions, force re-authentication and spot where the intruder went. Review your logging so you’re tracking session-level activity - not just whether someone typed the right password.

Harden your perimeter and email defences

The less exposure users have to dodgy links, the better. Layered controls like URL filtering, attachment scanning and behavioural anomaly detection dramatically reduce the odds of someone ever landing on a malicious proxy page in the first place.

If you would like Kafico to review your current MFA setup, privilege structure, identity governance or logging configuration, we are happy to support you.

What happens next

Kafico will continue to track developments in advanced phishing kits and MFA bypass techniques. When new information, countermeasures or vendor guidance becomes available, we will provide a further update.

If you have any questions or would like assistance assessing your current authentication controls, please get in touch.

If you want the super techy-nerd explanation of tycoon -

Jeff Pullen, CISSP, CCSP