Mw5JjdT5Ue (original) (raw)

Throughout 2025, Tycoon2FA (tracked by Microsoft as Storm-1747) has consistently been the most prolific phishing-as-a-service (PhaaS) platform observed by Microsoft. In October 2025, Microsoft Defender for Office 365 blocked more than 13 million malicious emails linked to s PhaaS platform was a major driver behind the surge of fake CAPTCHA phishing tactics. In October, more than 44% of all CAPTCHA-gated phishing attacks blocked by Microsoft were attributed to Tycoon2FA infrastructure. One Tycoon2FA-driven campaign involved over 928,000 messages targeting organizations in 182 countries, using “DOCUMENT HERE” links and country-specific Google redirections to funnel targets to credential harvesting sites. Tycoon2FA was also directly linked to nearly 25% of all QR code phishing attacks detected in October. The overall trend in QR code phishing showed that most attacks, regardless of actor, were delivered through PDF and DOC/DOCX attachments. A significant number of Tycoon domains (40%) containing phishing content were hosted on second-level domains, such as .sa[.]com, .com[.]de, or .me[.]uk. Nearly a quarter of all Tycoon2FA-related phishing domains in October were hosted on .sa[.]com. To defend against Tycoon2FA activity, organizations should prioritize robust security settings in Microsoft Defender for Office 365. Enabling phishing-resistant multifactor authentication (MFA) for accounts, adopting password-less solutions, maintaining up-to-date threat policies, and leveraging automated detection tools will further help limit attackers’ opportunities and strengthen overall resilience.