Tycoon 2FA AiTM Kit Targets Entra ID and Google Workspace In MFA Bypass Campaigns

The Tycoon 2FA Phishing-as-a-Service (PhaaS) platform has resumed operations after a coordinated takedown, employing adversary-in-the-middle proxies and OAuth device-code phishing to capture post-MFA session tokens and bypass multi-factor authentication for Microsoft 365 and Google Workspace; operators use WebSocket relays, rogue device registration to obtain persistent Primary Refresh Tokens (PRTs), and abuse legitimate cloud storage for hosting phishing lures, while implementing layered anti-analysis and targeted infrastructure differences per provider.