‘Tycoon 2FA’ Phishing-as-a-Service Evolves to Evade Security Tools, Barracuda Warns
Tycoon 2FA uses Microsoft 365 session cookies to gather and use, allowing attackers to intercept and get around two factor authentication (2FA) security protections.

The widely used Tycoon 2FA Phishing-as-a-Service (PhaaS) has been updated with a range of tactics designed to make it harder for security tools to confirm its malicious intent and inspect its webpages, according to a new research report from Barracuda’s threat analysts. The findings underscore how PhaaS developers are investing significant resources into building advanced and evasive toolsets and templates to enable cyber attackers to quickly deploy complex and targeted phishing campaigns.
According to Barracuda threat analysts, around 30% of the credential attacks seen in 2024 made use of PhaaS and this is expected to rise to 50% in 2025.
Tycoon 2FA allows attackers to intercept and bypass two factor authentication (2FA) security measures by collecting and using Microsoft 365 session cookies. In early November 2024, Barracuda threat analysts noted a rise in the use of a new version of Tycoon 2FA that is stealthier than earlier editions and makes use of a range of sophisticated tactics to obstruct detection and analysis.
These tactics include the use of legitimate, and possibly compromised, email accounts to launch phishing attacks, as well as specially crafted source code designed to obstruct web page analysis. Additionally, cybercriminals have implemented measures to block automated security scripts and penetration-testing tools, further complicating detection. Some variants listen for keystrokes that suggest web inspection and subsequently block any further activity. Other techniques include disabling the right-click menu to conceal a webpage’s true intent and blocking users from copying meaningful text for offline analysis.
“Phishing has evolved into a complex and sophisticated attack vector that is increasingly well resourced,” said Deerendra Prasad, Associate Threat Analyst at Barracuda. “PhaaS groups play a key role in this new ecosystem, and we expect their role to increase. We have observed Tycoon 2FA used in numerous phishing campaigns over the past months and expect cyber attackers to continue to refine their methods to circumvent traditional security measures and thwart deeper analysis. It is essential to have agile and innovative multilayered defense strategies in place and foster a strong security culture to stay ahead of this ever-evolving threat.”