Barracuda Networks reports in a new study that the updated “Tycoon 2FA” platform for Phishing-as-a-Service (PhaaS) has become a powerful tool for cybercriminals. The latest version uses advanced techniques to bypass two-factor authentication (2FA) and evade detection by security tools.
What is PhaaS and Tycoon 2FA?
PhaaS platforms like Tycoon 2FA provide ready-made toolsets for conducting sophisticated phishing campaigns. These platforms lower the barrier for attackers targeting both organizations and individuals. According to Barracuda analysts, PhaaS was involved in roughly 30 percent of phishing attacks during 2024, and that share is expected to grow to about 50 percent in 2025.
The latest release of Tycoon 2FA is specifically designed not only to bypass 2FA but also to harvest credentials by exploiting session cookies from Microsoft 365. To make detection and analysis more difficult, the platform includes several advanced features:
- Sending attacks from legitimate-looking email accounts that are likely compromised
- Modified source code that complicates analysis of malicious webpages
- Blocking of automated security scripts and penetration testing tools
- Detection of mouse movements to identify inspection and block further activity
- Disabling of right-click context menus and copying of text from pages
A growing threat
“Phishing has evolved into a complex and sophisticated attack method where criminals have access to increasingly advanced resources. PhaaS groups play a central role in this ecosystem, and we expect their importance to grow. We have observed Tycoon 2FA in multiple phishing campaigns in recent months and see continued development of techniques to bypass traditional security measures,” says Deerendra Prasad, threat analyst at Barracuda.
Klas Palmér, security expert at Barracuda in Sweden, adds:
“Many organizations still view two-factor authentication as a reliable barrier against phishing attacks. But Tycoon 2FA demonstrates that these protections can be circumvented. Multifactor authentication must therefore be complemented by advanced, flexible, and innovative defensive solutions. More sophisticated phishing campaigns mean we must continue to educate and equip ourselves for an increasingly complex threat landscape.”
How to protect yourself
To counter the threat posed by PhaaS and Tycoon 2FA, Barracuda recommends the following measures:
- Use multifactor authentication. Despite Tycoon 2FA’s capabilities, MFA remains important when combined with other defenses.
- Deploy advanced security solutions. Modern defenses can analyze and block malicious webpages and email.
- Train employees. Ongoing awareness and training help staff recognize phishing attempts and respond correctly.
Adopting layered defenses—combining strong authentication, modern email and web security, real-time monitoring, and continuous user education—reduces the likelihood that attackers using PhaaS platforms like Tycoon 2FA will succeed. Organizations should regularly review and adapt their security controls to address evolving phishing techniques and ensure incident response plans are up to date.