Tycoon 2FA AiTM Kit Bypasses MFA on Entra ID and Google Workspace Accounts

Tycoon 2FA is a large-scale Phishing-as-a-Service kit that intercepts authenticated session tokens for Microsoft 365 and Google Workspace by acting as a reverse proxy and abusing OAuth/device-code flows; it bypasses standard MFA, registers persistent devices to mint primary refresh tokens, and has been attributed to threat actor Storm-1747. The report documents TTPs, resilience after takedown, detailed IoCs (client IDs, OAuth scopes, user-agents, crypto keys, Socket.IO events), and mitigation recommendations such as phishing-resistant MFA (FIDO2/passkeys), Conditional Access, token protection, and careful device enumeration prior to session revocation.