What the Tycoon 2FA Takedown Didn’t Fix

Think the Tycoon 2FA takedown solved your risk? Stolen session tokens remain valid. Get the SOC-ready KQL queries and remediation steps to stay protected.

3/19/202610 min read

A beam of light refracting through a glass prism and splitting into data streams on a dark background.
A beam of light refracting through a glass prism and splitting into data streams on a dark background.

Security In Practice | CyOps Consulting Team

Infrastructure seizure stops new phishing messages from deploying. It does not revoke the session tokens already stolen during active campaigns. That distinction defines the operational gap that the Tycoon 2FA disruption announcement does not close.

Tycoon 2FA operated as PhaaS (Phishing-as-a-Service) infrastructure, an industrialised delivery mechanism for AiTM (Adversary-in-the-Middle) phishing. AiTM does not steal passwords. It relays authentication prompts in real time and captures the live session token after the user successfully authenticates. The MFA prompt fires, and the attacker captures the resulting token anyway (Microsoft 2026). The credential is not compromised. The session is.

Microsoft’s post-takedown tracking data confirms that Tycoon 2FA allowed threat actors to maintain persistence even after password resets unless sessions and tokens were explicitly revoked (Microsoft 2026). Treating this week’s Europol and Microsoft announcement as resolution misreads the risk. The takedown is not the story. What matters is what the takedown exposed.

Where Current Thinking Breaks

The working assumption in most identity programmes is simple: MFA is deployed, therefore phishing risk is mitigated. That assumption is incomplete when applied to AiTM-class attacks. The Canadian Centre for Cyber Security’s AiTM guidance, based on over 100 campaigns targeting Microsoft Entra ID accounts between 2023 and early 2025, shows that attackers have standardised their approach. They do not defeat MFA. They wait for users to complete it and then capture the resulting session token (Canadian Centre for Cyber Security 2025). MFA-enabled status answers a question attackers stopped asking.

Tycoon 2FA turned this technique into PhaaS infrastructure that is industrialised, commoditised, and accessible to threat actors without advanced technical capability. Vendor data suggests that approximately 30% of credential attacks in 2024 used PhaaS infrastructure, with projections approaching 50% in 2025 (Sakthivel 2024).

The threat model has shifted. The attacker doesn’t need to beat your MFA. They wait for you to beat it for them. This is not a theoretical gap. Here are the three ways it is playing out in practice.

Gap 1: FIDO2 Deployment Does Not Equal AiTM Protection in Mixed-Mode Configurations

Most enterprise FIDO2 deployments are incomplete in a specific way. Hardware keys are registered, but legacy fallback methods such as push notifications, one-time passwords, and SMS codes remain enabled in authentication policy. IOActive research published in February 2026 identified an authentication downgrade attack that exploits this configuration. A serverless transparent proxy operating on trusted CDN infrastructure intercepts the authentication flow and forces the user back to a phishable method, even when a FIDO2 hardware key is registered. The forensic footprint on that infrastructure is effectively zero (IOActive 2026).

The gap persists because FIDO2 rollouts are expensive and operationally disruptive. Organisations that complete hardware key deployment often assume the investment delivers full protection. Authentication policies that enforce hardware-key-only access for privileged accounts are not default configurations and require deliberate design decisions that many teams have not made (IOActive 2026).

The consequence is direct. An organisation that has completed a FIDO2 rollout and declared itself protected against AiTM may still be exploitable through the downgrade path. Logs will show a legitimate user authenticating with a legitimate method. There is no anomaly to detect.

What most coverage misses is the asymmetry. The downgrade attack does not break FIDO2 cryptography. It manipulates the authentication flow upstream of the cryptographic challenge, so detection logic focused on cryptographic anomalies will not trigger (IOActive 2026). Attacker tooling cost is near-zero, using free-tier serverless services. Defender remediation requires no new procurement, only a configuration change.

Action: Audit authentication policy configuration for privileged accounts. Determine whether hardware-key-only enforcement is in place or whether fallback methods remain available as downgrade paths. A tiered enforcement approach, starting with administrative accounts, reduces operational friction while addressing the highest-risk exposure first.

Gap 2: Stolen Session Tokens From Active Tycoon 2FA Campaigns Are Still Valid

As stated earlier, infrastructure seizure stops new phishing messages from deploying. It does not invalidate session tokens and cookies stolen during the active campaigns. Intelligence from exposed PhaaS operator panels revealed hundreds of thousands of captured credentials and authentication records, primarily tied to corporate email domains (TrendAI 2026). TrendAI warned explicitly that previously captured credentials and session cookies may remain circulation post-takedown (TrendAI 2026).

Identity teams typically lack operational runbooks for bulk token revocation following a threat infrastructure disruption. The event is treated as news rather than an operational trigger. There is no standard incident response (IR) playbook for this scenario, which makes the gap procedural rather than technical.

The consequence is direct. Organisations may currently have active attacker sessions tied to earlier campaigns if tokens have not been revoked. The attacker no longer needs the phishing infrastructure. The session persists until expiration or explicit invalidation.

Coverage of the takedown has described how the PhaaS infrastructure operated. It has not addressed the detection and revocation work now required. The detection signal for active token replay exists in the identity platform’s risk event logs, but only if teams know where to look and understand the false positive characteristics of that signal (Microsoft 2026a; Microsoft 2026b).

Run the detection queries below against the risk event log table. Prioritise detections at high risk level. Low and medium risk level detections carry an elevated false positive rate and should be treated as investigative leads (Microsoft 2026a). For accounts in healthcare, education, and finance verticals (sectors most heavily targeted per available partner intelligence), execute targeted bulk session revocation and forced re-authentication as a proactive measure regardless of whether the detection fires.

Note: Full visibility into anomalous token detections requires, at a minimum, an identity protection P2 licence entitlement; without it, detections surface without specificity (Microsoft 2026a).

Detection Queries: Anomalous Token Reuse (Entra ID / Log Analytics)

In Short

  • The takedown does not close the active threat window. Infrastructure seizure stops new phishing messages from deploying, but it does not invalidate session tokens stolen during active campaigns in Q4 2025 and Q1 2026. This window includes over three million phishing messages in February 2026 alone. Attacker sessions established before the disruption remain valid until explicitly revoked. Most identity teams do not have an IR runbook for this scenario. Proactive bulk session revocation is required now rather than after detection fires.

  • A completed FIDO2 rollout does not equal AiTM (Adversary-in-the-Middle) protection. A published, near-zero-cost downgrade attack can force authentication back to phishable fallback methods such as push, OTP, and SMS, even when a hardware key is registered. This occurs by intercepting the flow upstream of the cryptographic challenge on trusted CDN infrastructure. The forensic footprint is effectively zero. Hardware-key-only enforcement for privileged accounts is not the default and requires a deliberate policy decision that most teams have not made.

  • Default token lifetimes were not designed for a session-theft threat model. Default refresh token lifetimes allow attacker persistence through password resets and standard remediation cycles without triggering detection. Continuous Access Evaluation (CAE), which enables near real-time revocation without forcing constant re-authentication, is not enabled by default. Microsoft confirmed that the disrupted infrastructure allowed persistence even after passwords were reset. CAE is a configuration decision within existing platform capabilities and typically requires only a licensing entitlement check.

  • All three remediation actions require no new procurement. The Shadowserver Special Report (published 4 March 2026, 25,206 domain events across 237 national CSIRTs) is available free via national CSIRT request (AusCERT, NCSC-UK, CISA) or via a free Shadowserver subscription. Cross-reference against email gateway and DNS logs for Q4 2025 to Q1 2026, prioritise is_panel = Yes domains, and execute targeted bulk session revocation. Authentication policy audit and CAE enablement are configuration changes. The gap is prioritisation, not budget.

Primary

AADUserRiskEvents

| where RiskEventType == "anomalousToken"

| where RiskState == "atRisk"

| where RiskDetail !has "aiConfirmedSigninSafe"

| project TimeGenerated, UserPrincipalName, RiskLevel,

DetectionTimingType, IpAddress, Location,

CorrelationId, RequestId, RiskDetail

| order by RiskLevel desc, TimeGenerated desc

Correlated

AADUserRiskEvents

| where RiskEventType == "anomalousToken"

| where RiskState == "atRisk"

| where RiskDetail !has "aiConfirmedSigninSafe"

| project RiskTime = TimeGenerated, UserPrincipalName,

RiskLevel, CorrelationId, IpAddress

| join kind=inner (

SigninLogs

| where RiskEventTypes_V2 has "anomalousToken"

or isnotempty(RiskEventTypes_V2)

| project SigninTime = TimeGenerated, UserPrincipalName,

IPAddress, LocationDetails, DeviceDetail, AppDisplayName,

IncomingTokenType, UniqueTokenIdentifier,

TokenProtectionStatusDetails, RiskLevelDuringSignIn,

CorrelationId

) on CorrelationId

| order by RiskTime desc

Non-Interactive

AADNonInteractiveUserSignInLogs

| where RiskEventTypes_V2 has "anomalousToken"

or RiskEventTypes_V2 has "unfamiliarFeatures"

| where RiskLevelDuringSignIn in ("medium", "high")

| project TimeGenerated, UserPrincipalName, IPAddress,

LocationDetails, DeviceDetail, AppDisplayName,

IncomingTokenType, UniqueTokenIdentifier,

RiskEventTypes_V2, RiskLevelDuringSignIn

| order by TimeGenerated desc

The detection queries above are scoped to Microsoft Entra ID / Log Analytics. Equivalent anomalous token risk events exist in Okta’s ThreatInsight and System Log, and in Ping Identity’s audit logs; detection field names differ but the underlying risk event types are consistent. Entra ID specifics are prioritised here given the confirmed targeting of Microsoft-authenticated accounts in Tycoon 2FA campaigns.

Gap 3: Default Token Lifetime Configuration Is Not Calibrated for an AiTM Threat Model

Default enterprise identity platform refresh token lifetimes allow persistent access well beyond a single session. An attacker holding a stolen token can maintain access through password resets, security remediation cycles, and standard alerting cycles without triggering detection. Token lifetime policies are not treated as a priority in standard cloud platform hardening checklists. Those checklists were written when the primary threat was password compromise, not session token theft.

The reason is structural. Ownership of token lifetime configuration frequently lacks clear ownership across identity, endpoint, and cloud security teams (Microsoft 2026). Continuous Access Evaluation (CAE) enables near-real-time token revocation without requiring constant re-authentication and exists as a middle path between short token lifetimes and persistent session risk. It requires deliberate configuration, however, and is not enabled by default for all authentication scenarios. Most teams have not been required to make this configuration decision explicitly because the prevailing threat model did not demand it.

The consequence is not theoretical. Session token theft attacks present as legitimate authentication. Without tightened token lifetimes combined with anomalous session detection, an attacker can remain persistent through multiple remediation cycles. Microsoft confirmed that the disrupted PhaaS infrastructure allowed threat actors to establish persistence even after passwords were reset (Microsoft 2026).

Neither control requires new budget, a point that current coverage has not addressed. CAE is a configuration available within existing platform capabilities, subject to licensing entitlement verification (Microsoft 2026). Most teams have not audited whether these controls are active. That is the obstacle, not technical capability.

Two actions follow. First, audit current token lifetime policy settings, evaluate CAE configuration status, and verify licensing entitlement. Confirm whether CAE is enabled for the relevant authentication scenarios or whether default token lifetimes remain in place. Second, use the Shadowserver indicators of compromise (IOC) dataset to identify which accounts to prioritise for targeted session revocation before that configuration takes effect.

On 4 March 2026, Shadowserver published a Special Report containing 25,206 domain events across 237 National CSIRTs globally, covering domains assessed to have been used in the disrupted PhaaS infrastructure with registration start and end dates between 2023-03-19 and 2027-04-03 (Shadowserver Foundation 2026). Pull the hostname list, cross-reference against gateway and DNS query logs for the Q4 2025 to Q1 2026 window, prioritise domains where is_panel = Yes (confirmed command-and-control infrastructure) and execute targeted bulk session revocation for matched accounts.

Shadowserver Tycoon 2FA IOC Dataset: Access Pathways (Published 4 March 2026)

Operational caveat: This dataset identifies historical domain contact between first_seen_time and last_seen_time fields, which may indicate past or current malicious activity. It does not identify currently active attacker sessions. The cross-reference workflow produces a prioritised account list for targeted revocation, not a confirmed compromise list.

Cross-reference workflow

  1. Pull the hostname list from the 2026-03-04-special report.

  2. Cross-reference against email gateway logs, proxy logs, and DNS query logs for the Q4 2025 to Q1 2026 window.

  3. Match hits to user accounts, prioritising domains flagged is_panel = Yes.

  4. Execute targeted bulk session revocation for matched accounts.

Tactical and Programmatic Adjustments

This Week

Cross-reference employee email domains against the Shadowserver Tycoon 2FA Domains Special Report. These actions are scoped to organisations running the relevant enterprise identity platform. None of these actions requires procurement approval (Shadowserver Foundation 2026). Prioritise domains flagged is_panel = Yes. Cross-reference against email gateway, proxy, and DNS query logs for the Q4 2025 to Q1 2026 window. Execute targeted bulk session revocation and forced re-authentication for matched accounts. Bulk revocation creates user experience friction; a tiered rollout starting with privileged accounts reduces operational disruption.

For accounts in healthcare, education, and finance verticals, execute targeted session revocation as a proactive measure regardless of whether the domain cross-reference produces hits, based on available threat intelligence on sector targeting.

Audit authentication policy configuration for privileged and administrative accounts. Determine whether hardware-key-only authentication enforcement is in place or whether legacy fallback methods remain available as downgrade paths (IOActive 2026). Hardware-key-only enforcement will generate helpdesk load; a documented exception and escalation path must be in place before enforcement is activated.

Review CAE enablement status and licensing entitlement. Determine whether near-real-time token revocation is active for the relevant authentication scenarios or whether default token lifetimes remain in place (Microsoft 2026a; Microsoft 2026b). CAE is not supported across all licensing tiers, verify entitlement before committing to it as a control.

This Quarter

Develop an IR runbook specifically for post-takedown token revocation. Define the trigger condition, domain cross-reference workflow, session revocation scope decision, and re-authentication method. This event demonstrates the scenario is a recurring operational requirement, not an anomaly.

Add token lifetime policy review as a standing item on the cloud platform hardening checklist. The current checklist was written for a password-compromise threat model and does not address session token persistence (Microsoft 2026a; Microsoft 2026b).

Begin tiered hardware-key-only authentication enforcement in the authentication policy, starting with administrative and privileged accounts, and document the helpdesk load mitigation approach before expanding to broader account tiers (IOActive 2026).

6—12 Months

Shift the identity programme's primary audit question from "Is MFA enabled?" to "What is our session token lifetime, and do we have anomalous token reuse detection configured and scoped to high-risk events?" Integrate AiTM-specific detection logic into incident response playbooks, covering three specifics. First, the anomalousToken risk event type in the identity platform's risk event log table. Second, filtering to RiskLevel == "high" to manage false positive rate. Third, correlation via CorrelationId to sign-in context for full investigative fidelity (Microsoft 2026a).

Two Questions That Determine AiTM Readiness

Two questions determine whether your organisation has an adequate AiTM threat model:

  1. how long does a stolen session token remain valid?

  2. what detection logic fires before it expires?

An organisation that can answer both is operating at an appropriate threat model. One that cannot has a structural gap that no external takedown closes.

MFA deployment is a hygiene baseline. AiTM protection is a session control architecture problem. They are not the same investment and conflating them produces a false sense of programme maturity. A takedown disrupts infrastructure. It does not revoke the tokens that infrastructure already stole. The maturity distinction is not tool deployment. It is whether your organisation has answered both questions and acted on the answers.

Forward Risk Signal

The AiTM PhaaS operational model predates this specific infrastructure and will outlast it. Over 100 campaigns targeting enterprise identity accounts were documented between 2023 and early 2025 (Canadian Centre for Cyber Security 2025), well before this operation reached scale. The three identity architecture gaps it exposed are not specific to the disrupted infrastructure; they are exploitable by any AiTM-capable threat actor running successor operations. The low cost of successor tooling and the documented campaign volume make that a reasonable operational expectation.

Three signals are worth tracking. First, FIDO2 downgrade technique adoption in active campaigns, given that the tooling is published and available at no cost (IOActive 2026). Second, anomalousToken risk events at high risk level in the identity platform's sign-in log telemetry, as the ongoing detection signal for residual session activity and any successor campaigns (Microsoft 2026a; Microsoft 2026b). Third, the emergence of replacement PhaaS infrastructure. All three countermeasures that address these signals require no new budget. The gap is prioritisation, not procurement.

Special thanks to Coursera for supporting today’s content.

Brought to by the CyOps Consulting Team. Discover our most recent publication.

CyOps Consulting – Trusted Advice. Proven Expertise. Practical Solutions.

Get in touch today to strengthen your cyber security posture with confidence.

© 2026 CyOps Consulting. All rights reserved.

Looking for a hosting deal? Get our exclusive 20% discount at Hostinger.

Terms and Conditions | Disclaimer | Privacy Policy

Partners