Tycoon 2FA: an in-depth analysis of the latest version of the AiTM phishing kit

**Executive summary:** Sekoia analysts discovered and analyzed Tycoon 2FA, an AiTM phishing kit marketed as a Phishing‑as‑a‑Service (PhaaS) that has been active since at least August 2023 and used in widespread campaigns; the kit relays Microsoft 365 authentications (including MFA) via a reverse proxy to harvest credentials and session cookies, employs Cloudflare Turnstile and obfuscated JavaScript/WebSocket exfiltration to evade detection, and is linked to over a thousand domains and a Bitcoin wallet indicating active monetization.