← All stories

Trend Micro Research

Europol, Microsoft, TrendAI™ and Collaborators Halt Tycoon 2FA Operations

Stephen Hilt · 2026-03-04 · Read original ↗

ATT&CK techniques detected

6 predictions

T1566.002Spearphishing Link

84%

“features and modifications fit into a broader trend where phishing kits are becoming cheaper, more accessible, and easier to operate even for low - skill attackers. phishing enabled by phishing kits is often overshadowed by ransomware in the threat landscape in terms of risk pose…”

Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.

No matches for .

Loading techniques…

T1566Phishing

81%

“features and modifications fit into a broader trend where phishing kits are becoming cheaper, more accessible, and easier to operate even for low - skill attackers. phishing enabled by phishing kits is often overshadowed by ransomware in the threat landscape in terms of risk pose…”

Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.

No matches for .

Loading techniques…

T1566.002Spearphishing Link

70%

“a phaas kit designed to bypass multi - factor authentication ( mfa ). aside from stealing usernames and passwords, it also uses an adversary - in - the - middle ( aitm ) proxy that sits between the victim and the real log in page, allowing it to capture credentials, mfa codes, an…”

Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.

No matches for .

Loading techniques…

T1111Multi-Factor Authentication Interception

66%

“a phaas kit designed to bypass multi - factor authentication ( mfa ). aside from stealing usernames and passwords, it also uses an adversary - in - the - middle ( aitm ) proxy that sits between the victim and the real log in page, allowing it to capture credentials, mfa codes, an…”

Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.

No matches for .

Loading techniques…

T1557Adversary-in-the-Middle

40%

“a phaas kit designed to bypass multi - factor authentication ( mfa ). aside from stealing usernames and passwords, it also uses an adversary - in - the - middle ( aitm ) proxy that sits between the victim and the real log in page, allowing it to capture credentials, mfa codes, an…”

Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.

No matches for .

Loading techniques…

T1556.006Multi-Factor Authentication

34%

“a phaas kit designed to bypass multi - factor authentication ( mfa ). aside from stealing usernames and passwords, it also uses an adversary - in - the - middle ( aitm ) proxy that sits between the victim and the real log in page, allowing it to capture credentials, mfa codes, an…”

Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.

No matches for .

Loading techniques…

Summary

Tycoon 2FA was dismantled this week by law enforcement and industry partners including TrendAI™. The phishing-as-a-service platform offered MFA bypass services using adversary-in-the-middle (AitM) proxying.