Inside Tycoon2FA: How a leading AiTM phishing kit operated at scale

Tycoon2FA is a widely deployed phishing‑as‑a‑service platform that enables AiTM phishing campaigns able to intercept credentials and session cookies to bypass MFA at scale; the report describes the service panel, infrastructure and URL patterns, common email lures and attachment types, extensive evasion techniques (custom CAPTCHAs, obfuscated JS, redirect chains), examples of exfiltration (Telegram bots), Microsoft Defender detections and hunting queries, and recommended mitigations including phishing‑resistant authentication.