Light bulb Limited Spots Available: Secure Your Lifetime Subscription on Gumroad!

Jan 23, 2026 · 5 min read

That Email From Your Company's Domain? It Might Be From a Hacker Using Tycoon2FA

Phishing as a service platforms are making domain spoofing attacks available to anyone with $120.

Microsoft just disclosed a surge in phishing attacks that make fraudulent emails appear to come from inside your own organization. The culprit is a phishing as a service platform called Tycoon2FA, and it blocked more than 13 million of these emails in a single month. The attacks exploit misconfigured email systems to bypass security controls that most organizations think protect them.

Computer screen showing corporate email inbox with suspicious highlighted email representing phishing threat

What Is Phishing as a Service?

Phishing as a service, or PhaaS, refers to platforms that let anyone launch sophisticated phishing campaigns without technical expertise. Tycoon2FA sells ready to use phishing pages for Microsoft 365 and Gmail accounts through Telegram. Prices start at $120 for 10 days of access.

These platforms provide customizable templates, infrastructure for hosting fake login pages, credential theft mechanisms, and even adversary in the middle attacks that can bypass multi factor authentication. What once required skilled hackers is now available to anyone willing to pay.

How the Domain Spoofing Attack Works

The attacks Microsoft identified exploit a specific vulnerability: organizations that route email through on premises Exchange servers or third party services before reaching Microsoft 365. When MX records do not point directly to Office 365, and spoof protections are not strictly enforced, attackers can send emails that appear to originate from the target's own domain.

Imagine receiving an email from hr@yourcompany.com about a password reset, or finance@yourcompany.com with an urgent invoice. The email passes basic checks because the sending domain matches your organization. But the link leads to a Tycoon2FA phishing page designed to harvest your credentials.

The phishing messages use common lures: document sharing requests, HR communications, invoices, password resets, and voicemail notifications. Once credentials are stolen, attackers can access email accounts, steal data, or launch business email compromise attacks against partners and customers.

Bypassing Multi Factor Authentication

Tycoon2FA is particularly dangerous because it can defeat multi factor authentication. The platform uses adversary in the middle techniques that relay authentication information in real time. When you enter your password and MFA code on the phishing page, Tycoon2FA immediately uses those credentials on the real login page, capturing your session token before the code expires.

A particularly advanced feature is the kit's ability to analyze error messages from the login process. By understanding an organization's specific security policies, Tycoon2FA can tailor attacks to bypass custom protections.

Who Is Being Targeted

Microsoft reports these attacks target a wide variety of organizations across multiple industries. Financial scams are common, with attackers impersonating executives to request wire transfers or sensitive information. The manufacturing sector has been hit particularly hard, facing the highest volume of email based attacks for six consecutive quarters.

The scale is significant. Microsoft blocked over 13 million Tycoon2FA related emails in October 2025 alone, and attack volume has surged since May 2025.

How to Protect Your Organization

Microsoft recommends several defensive measures:

  • Set strict DMARC reject and SPF hard fail policies so unauthenticated mail is blocked
  • Point MX records directly to Microsoft 365 when possible
  • Properly configure any third party email connectors
  • Disable Direct Send if not needed to reject emails spoofing your domain
  • Deploy phishing resistant MFA such as FIDO2 security keys
  • Implement Conditional Access policies and MFA number matching

The fundamental defense is proper email authentication. If your organization has not moved to strict DMARC policies, you are vulnerable to domain spoofing regardless of other security controls.

The Bigger Picture

Phishing as a service represents a democratization of cybercrime. Sophisticated attacks that once required expertise are now subscription services. The barriers to entry have collapsed, and the volume of attacks will only increase.

For individuals, this means increased vigilance. Even emails from apparently legitimate internal senders deserve scrutiny. Check URLs carefully before clicking. When in doubt, verify requests through a separate channel. And know that multi factor authentication, while still valuable, is not the impenetrable shield it once appeared to be.