Case 06 — Tycoon 2FA / EvilProxy AiTM Phishing

Sources: Proofpoint EvilProxy series (2023 onward), Mandiant Tycoon 2FA (2024), Sekoia.io (2024-Q4), Microsoft Threat Intelligence.

Background

AiTM (Adversary-in-the-Middle) phishing is the most efficient industrialized way to bypass MFA today. Attackers run reverse proxies (Tycoon 2FA, EvilProxy, Mamba 2FA, Greatness, Strox) that forward credentials and MFA codes in real time to the genuine Microsoft 365 or Google Workspace login. After the victim completes MFA, the proxy keeps the returned session cookie. The attacker injects the cookie into their own browser and gains full account access without ever needing to redo MFA.

Since 2024, Tycoon 2FA hosts thousands of new phishing domains every week. Subscriptions cost $200-300, dramatically lowering the bar for entry.

Email indicators

• Subjects: "Voicemail received", "DocuSign: Please review", "Microsoft Teams: New message", "Shared file: Quarterly Report"
• Multi-hop redirect chain: email → URL shortener / Cloudflare Worker → Turnstile → AiTM domain
• AiTM domain naming: lookalike subdomains such as login-microsoftonline.<random>.com or mfa-verify.<workers.dev>
• Domain age usually under 7 days
• TLS via Let's Encrypt — fully valid certificate

Animated walkthrough

Attack Simulation

Tycoon 2FA / EvilProxy AiTM phishing

1. 1Attacker
   Buy a Tycoon 2FA subscription
2. 2Attacker
   Send voicemail / document-share phishing email
3. 3Victim
   Click link, see a Microsoft login page
4. 4Victim
   Enter credentials
5. 5Attacker
   Proxy forwards in real time to real Microsoft
6. 6Victim
   Complete MFA
7. 7Attacker
   Steal session cookie and inject into attacker browser
8. 8Vigilyx
   Vigilyx blocks at the email layer

   Vigilyx detectslink_scan detects shortener-plus-Worker hops, landing_page_scan identifies AiTM proxy fingerprints, intel matches known Tycoon infrastructure, content_scan triggers on voicemail/MFA terms; fused to High or Critical

Illustrative animation — all indicators sanitized, for research & training only

Vigilyx detection coverage

Vigilyx beats Tycoon-class platforms via a three-layer combination of redirect-chain analysis, landing-page fingerprinting, and known-infrastructure intelligence:

• URL multi-hop analysis — link_scan follows redirects and identifies shortener + Cloudflare Worker + lookalike combinations (crates/vigilyx-engine/src/modules/link_scan.rs)
• Landing-page content fingerprints — landing_page_scan fetches the final page and matches AiTM reverse-proxy traits, missing CSP, abnormal cross-origin asset signatures (crates/vigilyx-engine/src/modules/landing_page_scan.rs)
• Dedicated AiTM detection — aitm_detect analyzes OAuth login form action domains for anomalies (crates/vigilyx-engine/src/modules/aitm_detect.rs)
• New-domain detection — intel checks WHOIS/RDAP and raises risk for domains under 7 days old (crates/vigilyx-engine/src/intel.rs)
• Tycoon infrastructure intel — OTX/AbuseIPDB continuously tag known Tycoon 2FA infrastructure, hitting intel immediately escalates to Critical (crates/vigilyx-engine/src/intel.rs)
• Voicemail / MFA / share keyword set — content_scan ships dedicated lists for these phishing themes (crates/vigilyx-engine/src/modules/content_scan/detectors.rs)

In real-world Tycoon 2FA waves throughout 2025, Vigilyx detection was driven mainly by landing_page_scan AiTM fingerprinting — even brand-new domains registered the same day (no IOC coverage) were caught the moment the landing page was fetched.

Defense

• Identity layer (most important) — deploy phishing-resistant MFA (FIDO2 hardware keys, passkeys, Windows Hello). FIDO2 binds origin into the hardware signature, so reverse-proxy domains physically cannot produce a valid signature.
• Gateway — make landing_page_scan mandatory; treat any email with three or more redirect hops as Medium baseline.
• Training — before signing in to any Microsoft service, verify the address bar shows login.microsoftonline.com or login.live.com. Anything else is an attack.