Detecting Tycoon 2FA AiTM attacks across Entra ID and Google Workspace

Tycoon 2FA is a high-volume Phishing-as-a-Service AiTM kit that proxies real Microsoft and Google login flows to capture post‑MFA session tokens and, in the Microsoft variant, can register devices to obtain primaryRefreshTokens (PRTs) that survive session revocation. The report details two active variants (WebSocket relay and device-code abuse), extensive anti-analysis/evasion measures, a two‑tier operational model for Microsoft (kit relay + operator console), rapid post‑compromise Graph API reconnaissance, detection rules across Entra ID and Google Workspace, and recommended defenses including phishing‑resistant MFA (FIDO2), blocking device‑code flows, device enumeration/deletion, token protection, and automated containment workflows.