In This Article
- Tycoon2FA: 13 Million Phishing Emails in a Single Month
- How Adversary-in-the-Middle Attacks Defeat Standard MFA
- NYDFS Part 500 Is Now in Active Enforcement Mode
- $2.77 Billion in BEC Losses: How Email Compromise Becomes Wire Fraud
- Breaking the Second Link: Phishing-Resistant Authentication
- Frequently Asked Questions
On January 6, 2026, Microsoft Threat Intelligence published a detailed breakdown of Tycoon2FA, a phishing-as-a-service platform that, at its peak, accounted for 62 percent of every phishing attempt Microsoft Defender for Office 365 blocked in a single month. The platform comes pre-loaded with pixel-perfect Microsoft 365 login page templates. Any attacker with a subscription can launch a targeted campaign against a credit union, community bank, or mortgage company without writing a single line of code.
This is Part 2 of a four-part series tracking the cyber kill chain that credit unions, banks, and mortgage companies face today. In Part 1: The Leak in the Shadows, we traced how stolen credentials and social media reconnaissance give attackers everything they need to build a target profile. Now those credentials become weapons.
Tycoon2FA: 13 Million Phishing Emails in a Single Month
Traditional phishing steals passwords. Tycoon2FA steals entire authenticated sessions, and it does it at industrial scale.
The platform operates as a subscription service on underground forums. Buyers get a complete toolkit: pre-built phishing page templates that mirror Microsoft 365, Google Workspace, and major financial platforms. The templates are updated regularly to match design changes on the real login pages. When a credit union member services rep, a bank teller, or a mortgage loan processor clicks a phishing link, they see an exact replica of their real login screen.
But Tycoon2FA is not a static phishing page. It is a real-time proxy that sits between the victim and the legitimate Microsoft 365 login server. Microsoft tracks the kit as a commodity tool that has been in active use since at least May 2025, with campaigns described as opportunistic and broad, hitting organizations across every industry. Financial services sit near the top of the target list because the payoff is large and the timing of high-value transactions is predictable.
Victim Clicks Phishing Link
An employee receives a targeted email. The lure is something routine: a shared document, a vendor portal update, a fake invoice, a voicemail notification, an HR communication, a password reset. The link opens a pixel-perfect clone of the Microsoft 365 sign-in page.
Credentials Relayed in Real Time
The victim enters a username and password. Tycoon2FA instantly forwards both to the real Microsoft login server through its proxy. The real server responds normally because, from its perspective, the credentials came from a real client.
MFA Token Captured
The real server prompts for multi-factor authentication. The victim enters the code from a text message, an authenticator app, or a push notification. Tycoon2FA captures the response, relays it within seconds, and the real server issues an authenticated session token.
Session Hijacked
Tycoon2FA captures the session token. The victim sees a "session timeout" error and tries again later. The attacker now holds a fully authenticated session. They ARE the victim, as far as Microsoft 365 is concerned. No password or MFA code is needed again.
Mailbox Rules Set
The attacker sets email forwarding rules to intercept incoming messages from specific senders: vendors, title companies, ACH originators, member service queues, borrowers. They monitor communications silently, waiting for the next high-value transaction.
This is why MFA alone is not enough. Tycoon2FA defeats SMS codes, authenticator apps, and push notifications. The only authentication method that resists this attack is FIDO2 security keys or passkeys, which validate the domain before releasing credentials. If the domain does not match, the key refuses to authenticate, and the proxy cannot fake the domain validation.
How Adversary-in-the-Middle Attacks Defeat Standard MFA
Understanding AiTM attacks requires understanding what MFA actually protects, and what it does not.
Standard MFA adds a second factor to authentication: something you know (password) plus something you have (phone, authenticator app). This blocks credential stuffing and brute force attacks effectively. If an attacker only has the stolen password from a dark web dump, MFA stops the attempt cold.
But AiTM attacks do not replay stolen credentials later. They relay them in real time. The proxy captures both the password and the MFA code within the same authentication session, passes them to the real server, and intercepts the session token that comes back. From that point forward, the attacker operates with a fully authenticated session. No credentials needed.
Real-World Scenario: A Bank Treasury Analyst Receives a "Shared Document" Notification
A treasury analyst at a community bank receives an email that appears to come from a colleague: "I shared the updated vendor payment schedule with you. Click here to review before tomorrow's wire batch."
The link opens what looks exactly like the bank's SharePoint sign-in page. The analyst enters credentials and the MFA code from the authenticator app.
Thirty seconds later, the attacker has the session token. They set an inbox rule to forward all emails from the bank's correspondent banking partner to an external address and begin monitoring for the next outgoing wire batch.
The analyst notices nothing. The "shared document" redirects to a real SharePoint page after the relayed authentication. Everything feels normal. The compromise will not be discovered until a vendor calls about a payment that never arrived.
Swap "treasury analyst" for "loan processor" or "credit union member services rep," and the same scenario plays out across every financial institution Tycoon2FA targets. The lure changes. The mechanism does not.
Microsoft Threat Intelligence documented Tycoon2FA campaigns hitting a wide variety of organizations across multiple industries since May 2025. The pre-built Microsoft 365 templates make it trivially easy to target any organization that relies on the Microsoft ecosystem, which includes the vast majority of credit unions, community banks, and mortgage companies in the United States.
NYDFS Part 500 Is Now in Active Enforcement Mode
The April 15, 2026 certification deadline for universal multi-factor authentication under 23 NYCRR Part 500 has passed. Covered entities, including state-chartered banks, credit unions operating in New York, mortgage servicers, and insurance companies under NYDFS jurisdiction, were required to certify universal MFA for all individuals accessing any information system. Not just remote access. Not just privileged accounts. Every individual, every information system.
As of May 2026, NYDFS is in active enforcement mode. The grace periods are exhausted. Audits in Q2 2026 are focused on universal MFA, third-party service provider oversight, asset inventory, and phishing-resistant authentication. NYDFS guidance describes the posture as zero tolerance: there are no phased warnings for institutions that missed the certification window. Ongoing non-compliance can trigger fines of up to $250,000 per day, with historical Part 500 enforcement actions reaching into the tens of millions for severe cases.
Why Universal MFA Alone Is Not Enough
NYDFS Part 500 requires universal MFA but does not, as currently written, mandate phishing-resistant MFA specifically. Credit unions and community banks that deploy only SMS-based MFA can technically meet the letter of the rule while remaining fully vulnerable to Tycoon2FA-style attacks. Institutions that deploy FIDO2 keys or passkeys meet both the letter and the intent. As the threat landscape moves from password-theft to session-token-theft, examiners across NYDFS, FDIC, OCC, and NCUA are signaling that phishing-resistant authentication is the direction of travel, even where it is not yet explicitly required.
For institutions outside New York, the federal-level guidance is converging. The FFIEC IT Examination Handbook (Authentication and Access to Financial Institution Services and Systems booklet) emphasizes risk-based MFA aligned to the threat environment. Recent FDIC, OCC, and NCUA supervisory letters and cybersecurity advisories all highlight phishing-resistant authentication as an appropriate response to adversary-in-the-middle threats. None of these federal regulators currently mandates FIDO2 or passkeys, but recent guidance that addresses AiTM also recommends phishing-resistant authentication as the natural next step.
Microsoft Threat Intelligence reports that, since May 2025, AiTM phishing kits have moved from custom-built tools used by sophisticated actors to commodity subscription services available to any attacker willing to pay. The October 2025 spike, when Defender for Office 365 blocked over 13 million Tycoon2FA-linked emails, coincided with the first sustained quarter where Microsoft saw a single PhaaS platform account for the majority of phishing attempts. The defensive playbook has shifted: phishing-resistant authentication, real-time session monitoring, and conditional access for unmanaged devices are no longer "nice to have" controls. They are the controls that keep MFA effective when the threat actor is sitting in the middle of the connection.
Source: Microsoft Security Blog, January 6, 2026. ABT manages Microsoft 365 tenants for 750+ credit unions, banks, and mortgage companies, with Tycoon2FA-resistant controls deployed across the managed footprint.
$2.77 Billion in BEC Losses: How Email Compromise Becomes Wire Fraud
AiTM phishing provides the access. Business email compromise turns that access into money. The FBI Internet Crime Complaint Center 2024 Annual Report documented 21,442 BEC complaints totaling $2.77 billion in adjusted losses, with 86 percent of losses tied to wire transfers or ACH payments. BEC was the second-highest-loss category in the entire report, behind only investment fraud.
Babatunde Ayeni BEC Ring: $19.6 Million Stolen Across 231 Closings
Over four years, Ayeni's team phished title company employees and real estate agents across the United States. Once inside their email accounts, they monitored closing communications, watching for the exact moment when wire transfer instructions would be sent. At the right moment, they sent fraudulent wire instructions from what appeared to be the legitimate title company email. 231 victims lost a combined $19.6 million in stolen down payments and closing funds. Over 400 additional victims were targeted but intercepted. Ayeni was sentenced to 10 years in federal prison in November 2024.
Sources: U.S. Department of Justice press release (November 2024), FBI IC3 2024 Annual Report
Ayeni's scheme was devastatingly simple. His team did not hack firewalls or exploit zero-day vulnerabilities. They phished one email account at a title company, then monitored that inbox silently for weeks, sometimes months. They learned the communication patterns: who sends wire instructions, what the standard email format looks like, when closings are scheduled.
Then, at exactly the right moment, hours before a real closing, they sent wire transfer instructions from the compromised email account to the buyer. The instructions looked identical to legitimate ones. The routing number was different. The buyer wired the down payment to an account controlled by Ayeni's network. By the time anyone realized the money went to the wrong place, it had been moved through multiple accounts and withdrawn.
The Same Playbook Works on Every Financial Institution
The mortgage closing scenario is the most publicly documented version of this attack, because the dollar amounts and the timing make it a magnet for federal prosecution. But the same playbook works on:
- Community banks processing correspondent banking wires, vendor payments, payroll, and business banking ACH batches. The attacker compromises a treasury analyst's mailbox, watches the wire schedule, and sends fraudulent instructions hours before a real outgoing wire.
- Credit unions handling member loan disbursements, business member wires, and shared-branching settlements. The attacker compromises a member service rep or loan officer mailbox, watches for disbursement requests, and redirects the proceeds.
- Mortgage companies and title companies coordinating closings, where the Ayeni pattern continues to operate. New rings emerge as old ones get prosecuted.
- Wealth management offices coordinating client wire transfers, where the dollar amounts per transaction often dwarf any other vertical.
The defense is identical across all four cases. Phishing-resistant authentication closes the front door. Real-time monitoring of mailbox forwarding rules catches the attacker on the way in. Out-of-band verification of every wire instruction catches the fraud at the last possible moment.
The Down Payments That Vanished
The Ayeni case represents the organized end of BEC. But individual cases tell the human story: families who lost their life savings, businesses that lost a single critical payment, member-owned credit unions that absorbed the loss to make a member whole.
| Victim | Location | Amount Lost | How It Happened | Outcome |
|---|---|---|---|---|
| First-time homebuyer | Spokane, WA | $34,000 | Spoofed loan officer email with wire instructions sent before real instructions arrived | Down payment lost, wired to fraudulent account |
| Borrower | Cincinnati, OH | $7,542 | Fake title company email included agent's photo, knew exact closing date and amount | Down payment lost, discovered too late to recover |
| Real estate buyer | Central Washington | $700,000 (nearly) | Fake title company email with wire instructions during real estate transaction | Intercepted by local sheriff's office before completion |
In every case, the attackers knew specific details about the transaction: the closing date, the amount, the title company involved, and the names of the people sending and receiving instructions. That level of detail does not come from guessing. It comes from sitting inside a compromised email account, reading every message, and waiting for the right moment.
Ayeni's team did not hack firewalls. They phished one email account at a title company, then waited, sometimes for months, for the right closing to redirect. The attack was patient, precise, and devastating. The same patience targets bank vendor payments and credit union member disbursements every day.
Is Your MFA Phishing-Resistant?
Most credit unions, banks, and mortgage companies rely on SMS or authenticator-based MFA that AiTM attacks bypass in seconds. Get a quick assessment before examiners or attackers do.
Breaking the Second Link: Phishing-Resistant Authentication
The controls that break the phishing link in the kill chain fall into two categories: preventing the phish from succeeding, and detecting when it does. Both layers must be in place. Microsoft 365 includes most of the technical building blocks. The hard part is configuration, monitoring, and the operational habit of treating every wire instruction as suspicious until verified out of band.
FIDO2 security keys and passkeys (Microsoft Entra ID). The only MFA method that Tycoon2FA and similar AiTM kits cannot defeat. FIDO2 keys validate the domain before releasing credentials. If the domain does not match the registered service, the key refuses to authenticate. The proxy cannot fake domain validation. For credit unions, banks, and mortgage companies handling wires of any kind, FIDO2 keys for privileged users, treasury staff, loan officers, and processors are the highest-impact single control you can deploy. Microsoft Authenticator passkeys provide a phone-based equivalent that works for users who prefer not to carry a hardware key.
Microsoft Defender for Office 365. AI-driven analysis catches phishing emails that reference real vendor names, mimic legitimate invoice formats, and bypass standard spam filters. Safe Links rewrites URLs to route through Microsoft's real-time scanning before the user reaches the destination, which is the layer that catches a Tycoon2FA proxy domain the moment Microsoft Threat Intelligence flags it. Safe Attachments detonates suspicious files in a sandbox before delivery. For institutions with Microsoft 365 Business Premium or E5 licenses, Defender is already included; it just has to be configured and monitored.
Conditional Access in Microsoft Entra ID. Block sign-ins from unmanaged devices, suspicious locations, or non-compliant endpoints. Even if an attacker captures a session token through AiTM, Conditional Access can invalidate that token if the access attempt comes from an unrecognized device, a new geography, or a device that does not meet the institution's compliance baseline. Token protection policies in Entra ID add a layer of cryptographic binding that makes hijacked tokens far harder to reuse.
Email forwarding rule monitoring. The first thing an attacker does after compromising a mailbox is set forwarding rules to intercept incoming messages. ABT's M365 Guardian monitoring catches new forwarding rules, impossible travel logins, and MFA token replay attempts in real time. A new forwarding rule on a loan officer's account at 2 AM triggers an immediate alert, not a log entry that someone reviews next week.
Microsoft Purview Data Loss Prevention. Flag emails containing sensitive borrower or member information, including Social Security numbers, account numbers, loan application data, and other regulated content, sent to unverified external addresses. Even if an attacker controls an internal email account, DLP policies prevent them from exfiltrating customer or member data or sending wire instructions to unauthorized recipients.
Out-of-band verification of every wire. The control that catches the fraud even when every technical layer fails. Calling the title company, the vendor, the correspondent bank, or the member at a known phone number, not a number from the email, to confirm wire instructions before sending. Make it a written policy. Train every staff member who initiates or approves a wire. Document the verification in the transaction file.
ABT deploys these controls across 750+ credit unions, banks, and mortgage companies on a pure Microsoft stack. No third-party email security tools that create their own supply chain risk. M365 Guardian monitoring catches the behavioral patterns that signal a compromised account, including email forwarding changes, unusual login geography, and bulk data access, and responds before the attacker can act on the access. For institutions evaluating where their current controls stand against the NIST Cybersecurity Framework 2.0, see our NIST CSF 2.0 Assessment for financial institutions for a structured mapping from each Microsoft 365 control to the Identify, Protect, Detect, Respond, Recover, and Govern functions.
Related Reading on myabt
If your institution is working through the same phishing and email security questions, these companion articles drill into specific controls and case studies:
- Code of Conduct AiTM Phishing: How 35,000 Users in 13,000 US Organizations Were Compromised in 72 Hours: the broader AiTM industry case study and what banks, credit unions, and mortgage companies should verify now.
- Microsoft Defender for Office 365 for Financial Institutions: The Anti-Phishing Configuration Examiners Expect: the policy-level Defender configuration that catches a Tycoon2FA campaign before users see it.
- 7 Common Questions About Multi-Factor Authentication (MFA): the foundational MFA explainer for staff training and member or customer communications.
Kill Chain Status: Part 2 of 4
Recon > [>>> PHISH >>>] > Breach > Heist
The credentials stolen in Part 1: The Leak have been weaponized into a successful phishing attack. The attacker now holds an authenticated session. In Part 3 of this series, that access becomes a foothold for supply chain attacks and lateral movement: when your vendor gets hacked, you get hacked.
Don't Let Your Next Wire Become a Case Study
M365 Guardian monitors email forwarding rules, impossible travel logins, and MFA token replay attempts in real time. ABT deploys phishing-resistant authentication across 750+ credit unions, banks, and mortgage companies on a pure Microsoft stack. Whether you are working toward NYDFS Part 500 enforcement readiness, an FFIEC examination, or just trying to stop the next $2.77 billion year, the controls are the same.
Frequently Asked Questions
Adversary-in-the-middle (AiTM) phishing uses a real-time proxy server that sits between the victim and the legitimate login page. When the victim enters credentials and an MFA code, the proxy relays them to the real server instantly, capturing the authenticated session token. This defeats standard MFA, including SMS codes, authenticator apps, and push notifications, because the attacker does not need the password or code again. The attacker rides the stolen session token directly. FIDO2 security keys and passkeys resist this attack because they validate the domain before releasing credentials. If the domain does not match, the key refuses to authenticate.
Financial institutions should run phishing simulations at least monthly, using scenarios tailored to financial services workflows like invoice approvals, wire transfer requests, vendor portal updates, member loan disbursements, and shared-branching settlements. Industry research shows that organizations relying on annual training see negligible improvement in click rates over fully untrained populations, while organizations running sustained behavior-based programs achieve failure rates near 1.5 percent. AI-generated targeted phishing in recent 2024 to 2025 academic studies reached 54 percent click rates against generic-trained users. The FTC Safeguards Rule, FFIEC IT Examination Handbook, and equivalent NCUA guidance all require continual security awareness training for all staff handling customer or member information. Annual checkbox training does not meet that bar.
Microsoft 365 includes Defender for Office 365 with Safe Links, Safe Attachments, and anti-phishing policies that use machine learning to detect impersonation attempts. Exchange Online Protection filters known malicious senders and domains. Conditional Access policies in Microsoft Entra ID can block sign-ins from suspicious locations or unmanaged devices and add token protection that makes hijacked sessions far harder to reuse. Microsoft Purview Data Loss Prevention rules flag emails containing sensitive borrower or member information sent to unverified external addresses. These controls are included in most Microsoft 365 Business Premium, E3, and E5 licenses, but they require proper configuration. ABT activates and monitors them across 750+ financial institutions.
The April 15, 2026 certification deadline for universal multi-factor authentication under 23 NYCRR Part 500 has passed. As of May 2026, NYDFS is in active enforcement mode with no grace periods remaining. Audits in Q2 2026 are focused on universal MFA, third-party service provider oversight, asset inventory, and phishing-resistant authentication. Ongoing non-compliance can trigger fines of up to $250,000 per day. The regulation requires multi-factor authentication for all individuals accessing any information system, including cloud applications, on-premise systems, third-party tools, and vendor access. It does not currently mandate phishing-resistant MFA specifically, but examiners are signaling that institutions relying solely on SMS-based MFA face heightened scrutiny given the prevalence of adversary-in-the-middle phishing.
Attackers compromise a treasury analyst, loan officer, member services representative, or wire room employee through phishing, then silently monitor communications for upcoming high-value transactions. At a community bank, the targets are correspondent banking wires, vendor payments, payroll ACH batches, and business banking transfers. At a credit union, the targets are member loan disbursements, business member wires, and shared-branching settlements. The attacker learns the participants, the schedule, and the expected amounts, then sends fraudulent instructions from the compromised email account hours before the legitimate wire. The instructions look identical to legitimate ones, but the routing number directs funds to an attacker-controlled account. Out-of-band verification, calling the receiving party at a known phone number to confirm wire instructions, is the primary defense.
Attackers compromise a title company or real estate agent email account through phishing, then silently monitor communications for upcoming closings. They learn the participants, the closing date, and the expected wire amount. At exactly the right moment, usually hours before the legitimate wire instructions are sent, the attacker sends fraudulent wire instructions from the compromised email account to the buyer. The instructions look identical to legitimate ones, but the routing number directs the funds to an attacker-controlled account. The Babatunde Ayeni BEC ring used this technique to steal $19.6 million from 231 victims between 2020 and 2024. Out-of-band verification, calling the title company at a known phone number to confirm wire instructions, is the primary defense.