Tycoon2FA Is Back Already: Why Your Microsoft 365 MFA Still Is Not Saving You
For years, the cyber security industry told people to turn on MFA and sleep better.
That advice was not wrong.
It was just incomplete.
Now here we are in March 2026, watching Tycoon2FA bounce back after a major disruption operation, and the lesson could not be clearer if it hit people in the face with a wet cod. Identity attacks are still the easiest route into far too many organisations, and plenty of businesses are still treating Microsoft 365 like a polite office suite instead of the front door to the company.
That is not a technical problem. That is a judgement problem.
Earlier this month, Microsoft, Europol, and partners announced a coordinated disruption against Tycoon2FA. Microsoft said the service was responsible for tens of millions of fraudulent emails reaching more than 500,000 organisations each month, and that by mid 2025 it accounted for around 62 percent of the phishing attempts Microsoft blocked. Europol said 330 domains were taken down. That sounds impressive, and to be fair, it is. But then the awkward bit arrived.
CrowdStrike says Tycoon2FA activity dropped sharply on 4 and 5 March 2026, down to roughly 25 percent of pre disruption levels, before returning to previous levels shortly after. In other words, the thing got punched, stumbled, and carried on.
So let’s stop pretending this is about one criminal platform having a lucky week. This is about a market that exists because businesses still make identity theft absurdly profitable.
What is Tycoon2FA, really?
At its core, it is a phishing as a service platform built to defeat MFA using adversary in the middle techniques. That means it does not simply steal your username and password like a cheap old phishing page from 2014. It sits in the middle of the login process, captures credentials and authentication tokens in real time, and then uses them to log in as the victim without setting off the kind of alarms people assume will save them.
That is why this matters to any UK business using Microsoft 365, Outlook, Entra ID, SharePoint, Teams, or cloud apps tied to single sign on. One compromised account is not just one inbox. It can be finance, files, contacts, Teams chats, supplier threads, payroll detail, customer documents, and all the trust relationships that come with them.
So ask yourself a simple question. If somebody got hold of one senior user’s Microsoft 365 session today, how much of your business would they see within ten minutes?
Would they find invoice approvals?
Would they find mailbox rules?
Would they find supplier conversations ripe for fraud?
Would they find Teams messages that tell them who does what and who panics under pressure?
Would they find password reset messages, sign in prompts, or documents that help them move further?
If the answer is “quite a lot”, then you are not alone. You are also not fine.
This is why Tycoon2FA is such a useful wake up call for UK SMBs. The technical trick matters, yes. But the bigger story is cultural. Too many firms still think of phishing as a user awareness problem and MFA as the magic plaster you slap on after the annual training session. Job done. Box ticked. Tea made.
Nonsense.
Modern phishing is about identity capture and session abuse. It is about getting through your user, not around them. It is about stealing trust in motion. A one time code or push prompt is helpful, but if the attacker sits in the session and grabs the token, your beloved second factor becomes less of a shield and more of a speed bump.
That does not mean MFA is pointless. Far from it. It means basic MFA alone is not enough.
The UK impact here is obvious. Microsoft 365 is everywhere. Small firms use it. Large firms use it. Schools, charities, legal practices, accountants, manufacturers, recruiters, estate agents, and MSPs use it. Some businesses have built their entire operating model around it. That makes identity the prize. Not the server room. Not the firewall. Not the crusty on premises box humming in a cupboard. The account.
And once an attacker lands in a mailbox, the fun really starts.
BEC, invoice fraud, thread hijacking, malicious SharePoint links, internal spear phishing, supplier impersonation. These are not exotic Hollywood scenarios. They are ordinary criminal workflows now. CrowdStrike says post disruption Tycoon2FA activity still included BEC phishing, email thread hijacking, SharePoint compromise and cloud account takeover. So while some people were still clapping the takedown press release, criminals were already getting back to work.
How very efficient of them.
This is where UK businesses need to get honest. Your Microsoft 365 tenant is not a toy. It is a business system packed with identity, communication, access, and trust. If your protections amount to “we use MFA” and “users did the training once”, you are still playing defence like it is 2019.
What should you be doing instead?
Start with phishing resistant MFA where you can. FIDO2 security keys and passkeys are better than codes and prompts because they are designed to resist these relay style attacks. Is it perfect everywhere yet? No. Is it better than app fatigue and one time codes? Yes, by a mile.
Then tighten conditional access properly. Block legacy authentication. Restrict risky sign ins. Require compliant devices where sensible. Watch for impossible travel and suspicious token use. Lock down admin roles. Reduce standing privilege. Build some friction into places that matter.
Also, monitor mailbox rule creation, suspicious forwarding, token replay patterns, and unusual cloud app consent. Too many firms only realise they have a Microsoft 365 problem after the invoices start changing or customers ask why they just got a weird link from the finance mailbox.
That is not early detection. That is the cyber equivalent of noticing the house fire when the roof caves in.
User awareness still matters, of course. But it needs to reflect reality. Stop teaching people only to look for bad spelling and Nigerian princes. Modern phishing kits use polished pages, legitimate infrastructure, redirects, and stolen branding. Some attacks now arrive through conversations users already trust. A well timed “document shared with you” or “secure message” prompt still catches plenty of people, especially when they are busy, tired, or under pressure.
You know, human.
There is also a supplier angle. How many of your partners, accountants, solicitors, consultants, payroll providers, and outsourced teams use Microsoft 365 too? If one of them gets popped and your staff trust their email, how strong is your detection? How quickly would you spot a thread hijack? How quickly would your users challenge a payment change request or a document link that arrived in a real conversation?
This is why identity security cannot sit in a silo. It touches fraud, operations, compliance, customer trust, and board risk. A stolen session token can become a financial loss long before it becomes an “IT incident”.
The Tycoon2FA story also shreds another lazy myth, the one where disruption operations “solve” cybercrime. They do not. They are still valuable. They raise attacker costs, burn infrastructure, shake trust in the criminal marketplace, and buy defenders time. Microsoft’s action mattered. Europol’s action mattered. The UK participated too. Good. More of that please.
But you still have to use the time wisely.
Because if criminals can recover this quickly, then your defence cannot be built on the hope that law enforcement will keep the roads outside your house empty forever.
So what should a UK SMB do this week?
Review sign in logs. Review conditional access. Review user risk policies. Review mailbox forwarding and inbox rules. Review shared accounts. Review admin role assignments. Review how finance approvals happen. Review whether key staff can use phishing resistant authentication. Review whether you can spot suspicious SharePoint or OneDrive link abuse.
And then ask the more uncomfortable question.
If one account got compromised tomorrow, what would stop it becoming a money problem by lunch?
That is the question that matters.
Tycoon2FA is back because the economics still work. Steal identity, hijack trust, move fast, cash out. Until businesses treat identity as critical infrastructure, this cycle will carry on. New kit. New domains. Same old failure. Too much trust, too little verification, and far too many organisations still assuming that a login prompt with MFA means the person at the keyboard must be legitimate.
If only criminals were that considerate.
What UK businesses should do today
1. Stop calling MFA the finish line
It is a control. It is not a strategy.
2. Move toward phishing resistant authentication
Use passkeys or FIDO2 security keys where possible, especially for privileged users.
3. Tighten Microsoft 365 properly
Review conditional access, risky sign ins, mailbox rules, forwarding, and admin role sprawl.
4. Prepare for BEC, not just malware
Train finance and leadership teams to expect thread hijack, invoice fraud, and session based compromise.
5. Pressure test one compromised account
Run the scenario. What breaks first? What leaks first? What gets paid first?
Final thought
The most dangerous lie in cyber security is not “we are secure”.
It is “we have MFA, so we are probably alright”.
Tycoon2FA just reminded everyone how flimsy that sentence can sound.
Sources
| Source | Link |
|---|---|
| Microsoft disruption announcement | https://blogs.microsoft.com/on-the-issues/2026/03/04/how-a-global-coalition-disrupted-tycoon/ |
| Europol announcement on coordinated public and private action | https://www.europol.europa.eu/media-press/newsroom/news/global-phishing-service-platform-taken-down-in-coordinated-public-private-action |
| CrowdStrike analysis of Tycoon2FA persistence after disruption | https://www.crowdstrike.com/en-us/blog/tycoon2fa-phishing-as-a-service-platform-persists-following-takedown/ |
| SecurityWeek summary of the post takedown resurgence | https://www.securityweek.com/tycoon-2fa-fully-operational-despite-law-enforcement-takedown/ |