Tycoon2FA, a sophisticated phishing-as-a-service platform tracked by Microsoft as Storm-1747, has emerged as the dominant threat targeting Office 365 accounts throughout 2025.
The cybercriminal operation has launched an aggressive campaign involving nearly one million attacks, establishing itself as the most prolific phishing platform observed by security researchers this year.
In October 2025 alone, Microsoft Defender for Office 365 blocked over 13 million malicious emails connected to Tycoon2FA infrastructure.
This massive volume demonstrates the scale and persistence of the threat actors operating this platform, which provides ready-made phishing tools to cybercriminals worldwide.
Fake CAPTCHA Tactics Drive Attack Success
Storm-1747 has become a significant force behind the surge in fake CAPTCHA phishing tactics.
These attacks disguise malicious links behind fake security verification screens that appear legitimate to unsuspecting users.
In October, Microsoft attributed more than 44 percent of all CAPTCHA-gated phishing attacks to Tycoon2FA infrastructure, as reported by Microsoft’s X platform.
One particularly aggressive Tycoon2FA campaign involved over 928,000 messages targeting organizations across 182 countries.
The attackers used deceptive “DOCUMENT HERE” links, combined with country-specific Google redirects, to funnel victims to credential-harvesting websites designed to steal Office 365 login credentials.
The global reach of this campaign highlights the threat actors’ sophisticated understanding of localized targeting.
By using country-specific redirections, attackers increased the likelihood that victims would trust malicious links.
Tycoon2FA has also embraced QR code phishing as an attack vector. The platform was directly linked to nearly 25 percent of all QR code phishing attacks detected in October 2025.
Security analysis revealed that most QR code phishing attacks were delivered through PDF and DOC or DOCX file attachments that contained malicious QR codes.
This delivery method exploits user trust in standard document formats while bypassing traditional email security filters that may not thoroughly scan embedded QR codes.
Analysis of Tycoon2FA operations uncovered distinct hosting patterns. A significant number of Tycoon domains containing phishing content, approximately 40 percent, were hosted on second-level domains including .sa[.]com, .com[.]de, and .me[.]uk extensions.
Nearly one quarter of all Tycoon2FA-related phishing domains identified in October were hosted specifically on .sa[.]com domains.
These hosting choices help attackers evade detection and maintain operational persistence.
Organizations must prioritize robust security configurations in Microsoft Defender for Office 365 to defend against Tycoon2FA activity.
Security teams should enable phishing-resistant multifactor authentication for all user accounts as a critical first line of defense.
Adopting password-less authentication solutions provides additional protection against credential theft.
Maintaining up-to-date threat policies and leveraging automated detection tools will help limit attackers’ opportunities.
Organizations should implement user awareness training on help users recognize fake CAPTCHA screens and suspicious QR codes.
These combined measures will strengthen resilience against this persistent phishing threat.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and set GBH as a Preferred Source in Google.