In May 2025, ANY.RUN researchers detailed the evolution of the Tycoon 2FA phishing kit, which targets Microsoft 365 and Gmail credentials. This Phishing-as-a-Service (PhaaS) platform employs sophisticated evasion techniques, including dynamic code generation, obfuscation, and traffic filtering, to bypass two-factor authentication (2FA) defenses. The kit uses an Adversary-in-the-Middle (AiTM) approach to capture session cookies, allowing attackers to reuse sessions and evade security measures. The continuous updates and enhancements in Tycoon 2FA's evasion tactics highlight the persistent threat it poses to corporate defenses.