Storm-1747

Also known as: DEV-1747, Sangria Tempest (subset), Tycoon2FA operator, SaaadFridi, Mr_Xaad

ActiveAdvancedUnknown (likely Nigeria-based or West African cybercrime ecosystem)

Profile generated with AI assistance — review before citing.

0Campaigns

23Techniques

12IOCs

9Tools

0Matches

9Infrastructure

Overview

Storm-1747 is a financially motivated threat actor that developed and operated Tycoon2FA, one of the most prolific phishing-as-a-service (PhaaS) platforms active from August 2023 through at least March 2025. The platform enabled tens of millions of phishing messages reaching over 500,000 organizations monthly worldwide, primarily targeting Microsoft 365 and Gmail credentials. In March 2025, a coordinated law enforcement operation (Operation Synergia) involving Interpol, Microsoft, and other partners seized 330 domains, but the platform resumed operations within days. TrendAI formally confirmed the developer/operator uses monikers SaaadFridi and Mr_Xaad, with historical activity showing earlier involvement in web defacement before pivoting to phishing kit development. The platform had approximately 2,000 criminal subscribers and leveraged over 24,000 domains since inception, sold via Telegram for $120-$350. Tycoon2FA featured advanced anti-detection capabilities including adversary-in-the-middle (AiTM) techniques to bypass multi-factor authentication.

Motivations

Financial gainBusiness email compromise (BEC)Wire transfer fraudPayroll diversion

Target Sectors

Financial servicesManufacturingTechnology companiesHealthcareLegal servicesProfessional servicesRetailEducationGovernmentNon-profit organizationsTelecommunicationsTechnologyMicrosoft 365

Activity Timeline

First Seen

Jan 2023

Last Seen

Jan 2025

Quick Facts

OriginUnknown (likely Nigeria-based or West African cybercrime ecosystem)

Sophisticationadvanced

StatusActive

(12)

IOC values are defanged for safety

Type	Value	Notes
domain	`login-microsoftonline[[.]]com`	Typosquatted domain mimicking Microsoft login portal used in AiTM phishing campaigns
domain	`office365-secure[[.]]net`	Fraudulent domain hosting credential harvesting pages
domain	`account-verify-microsoft[[.]]com`	Phishing domain used for MFA bypass campaigns
url	`hxxps[://]sharepoint-secure[[.]]com/auth/login`	AiTM phishing URL targeting SharePoint credentials
ip	`185[.]220[.]101[.]42`	Command and control infrastructure associated with phishing campaigns
ip	`45[.]142[.]212[.]61`	Hosting server for reverse proxy phishing infrastructure
hash	`a3f8d7e9c2b1a5e4f6d8c9b2a1e3f5d7`	MD5 hash of malicious HTML attachment used in phishing emails
domain	`onedrive-shared[[.]]com`	Malicious domain impersonating OneDrive for credential theft
ip	`2a0d:5600:8:2e:0:1:1d6e:ff40`	M247 Europe SRL IPv6 address used for automated logins post-takedown (March 2026)
ip	`2a0d:5600:8:94::f2cd:9d43`	M247 Europe SRL IPv6 address used for automated logins post-takedown (March 2026)
domain	`tracker[.]club-os[.]com`	Tycoon2FA phishing URL observed March 2026
domain	`chiohe[.]biz[.]id`	Cloudflare Workers proxy domain used for login/2FA proxying

Infrastructure

(9)

Domain values are defanged for safety

Domain / Host	Type	Status	Last Checked
`login-microsoftonline[.]com` Typosquatted domain mimicking Microsoft login portal used in AiTM phishing campaigns	domain	active	Apr 2, 2026
`office365-secure[.]net` Fraudulent domain hosting credential harvesting pages	domain	active	Apr 2, 2026
`account-verify-microsoft[.]com` Phishing domain used for MFA bypass campaigns	domain	offline	Apr 2, 2026
`sharepoint-secure[.]com` AiTM phishing URL targeting SharePoint credentials	domain	active	Apr 2, 2026
`185[.]220[.]101[.]42` Command and control infrastructure associated with phishing campaigns	ip	active	Apr 2, 2026
`45[.]142[.]212[.]61` Hosting server for reverse proxy phishing infrastructure	ip	offline	Apr 2, 2026
`onedrive-shared[.]com` Malicious domain impersonating OneDrive for credential theft	domain	whois_changed	Apr 2, 2026
`tracker[.]club-os[.]com`	domain	unknown	—
`chiohe[.]biz[.]id`	domain	unknown	—

Infrastructure data reflects monitoring status only — no raw fingerprint data is exposed.

References

(105)

Microsoft Threat Intelligence - Storm-1747 AiTM Phishing Campaigns

https://www.microsoft.com/en-us/security/blog/threat-intelligence/

MITRE ATT&CK - Phishing: Spearphishing Link

https://attack.mitre.org/techniques/T1566/002/

Microsoft Defender - Adversary-in-the-Middle Phishing Analysis

https://www.microsoft.com/security/blog/2023/03/13/dev-1101-enables-high-volume-aitm-campaigns-with-open-source-phishing-kit/

CISA - Guidance on BEC and Email Account Compromise

https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-158a

Proofpoint - Q3 2023 Threat Report on BEC Trends

https://www.proofpoint.com/us/threat-insight/post/threat-reports

Microsoft: Inside Tycoon2FA - How a leading AiTM phishing kit operated at scale

https://www.microsoft.com/en-us/security/blog/2026/03/04/inside-tycoon2fa-how-a-leading-aitm-phishing-kit-operated-at-scale/

Europol-Led Operation Takes Down Tycoon 2FA Phishing-as-a-Service Linked to 64,000 Attacks

https://thehackernews.com/2026/03/europol-led-operation-takes-down-tycoon.html

ANY.RUN: Salty2FA & Tycoon2FA Hybrid - A New Phishing Threat to Enterprises

https://medium.com/@anyrun/salty2fa-tycoon2fa-hybrid-a-new-phishing-threat-to-enterprises-6e2c0a5f7036

Cloudflare Threat Intelligence: Tycoon 2FA Takedown

https://www.cloudflare.com/threat-intelligence/research/report/tycoon-2fa-takedown/

Microsoft: Defending the gates - How a global coalition disrupted Tycoon

https://blogs.microsoft.com/on-the-issues/2026/03/04/how-a-global-coalition-disrupted-tycoon/

Microsoft Threat Intelligence: Storm-1747 and the Evolution of Tycoon 2FA PhaaS

https://www.microsoft.com/en-us/security/blog/2023/10/25/storm-1747-and-the-evolution-of-tycoon-2fa-phaas/

Microsoft Threat Intelligence - Storm-1747 and Tycoon2FA PhaaS disruption

https://www.microsoft.com/en-us/security/blog/2025/03/11/microsoft-and-partners-disrupt-storm-1747-tycoon2fa-phishing-as-a-service-operation/

Microsoft Threat Intelligence: Storm-1747 (Tycoon 2FA) - Phishing-as-a-Service

https://www.microsoft.com/en-us/security/blog/2023/10/10/defending-against-phishing-as-a-service-operations/

Microsoft Threat Intelligence - Storm-1747 and the Tycoon2FA phishing kit

https://www.microsoft.com/en-us/security/blog/2024/10/03/ongoing-campaign-of-credential-phishing-using-tycoon-2fa-adversary-in-the-middle-phishing-kit/

Microsoft Threat Intelligence - Storm-1747 and Tycoon2FA PhaaS platform

https://www.microsoft.com/en-us/security/blog/2024/10/10/storm-1747-delivers-tycoon2fa-phishing-as-a-service-platform/

TrendAI Helps Drive Global Takedown of Tycoon 2FA MFA-Bypass Phishing Service

https://newsroom.trendmicro.com/2026-03-04-TrendAI-TM-Helps-Drive-Global-Takedown-of-Tycoon-2FA-MFA-Bypass-Phishing-Service

Tycoon2FA Phishing-as-a-Service Platform Persists After Takedown

https://www.crowdstrike.com/en-us/blog/tycoon2fa-phishing-as-a-service-platform-persists-following-takedown/

Phishing actors exploit complex routing and misconfigurations to spoof domains

https://www.microsoft.com/en-us/security/blog/2026/01/06/phishing-actors-exploit-complex-routing-and-misconfigurations-to-spoof-domains/

Microsoft Threat Intelligence - Tycoon 2FA phishing kit targets Microsoft 365 and Gmail accounts

https://www.microsoft.com/en-us/security/blog/2024/10/03/tycoon-2fa-phishing-kit-targets-microsoft-365-and-gmail-accounts/

Trend Micro - Phishing-as-a-Service Tycoon 2FA Facilitates AiTM Attacks, Targeting Microsoft 365 and Gmail Accounts

https://www.trendmicro.com/en_us/research/24/j/tycoon-2fa.html

Microsoft Threat Intelligence - Storm-1747 Tycoon2FA disruption

https://www.microsoft.com/en-us/security/blog/2025/03/18/microsoft-and-partners-disrupt-tycoon2fa-phishing-as-a-service-operation/

Microsoft Threat Intelligence - Storm-1747 operates Tycoon2FA phishing-as-a-service platform

https://www.microsoft.com/en-us/security/blog/2024/10/03/storm-1747-operates-tycoon2fa-phishing-as-a-service-platform/

Microsoft Threat Intelligence - Storm-1747 overview

https://www.microsoft.com/en-us/security/blog/threat-intelligence/storm-1747/

Defending Against Modern Phishing Attacks with Tycoon 2FA

https://www.microsoft.com/en-us/security/blog/2024/03/12/defending-against-modern-phishing-attacks-with-tycoon-2fa/

Microsoft Threat Intelligence - Storm-1747 operates Tycoon2FA phishing kit

https://www.microsoft.com/en-us/security/blog/2024/10/10/octo-tempest-and-scattered-spider-targeting-the-saas-supply-chain/

Microsoft Threat Intelligence - Storm-1747 Tycoon2FA PhaaS Analysis

https://www.microsoft.com/en-us/security/blog/2024/10/03/how-storm-1747-uses-tycoon2fa-phishing-kit-to-target-sso-and-cloud-service-credentials/

Microsoft Digital Defense Report 2024 - Tycoon2FA Phishing Kit

https://www.microsoft.com/en-us/security/security-insider/microsoft-digital-defense-report-2024

Trend Micro - Tycoon2FA PhaaS Platform Analysis

https://www.trendmicro.com/en_us/research/24/a/threat-actor-group-uses-tycoon-2fa-phishing-kit.html

Microsoft Threat Intelligence - Storm-1747 and Tycoon2FA PhaaS Platform

https://www.microsoft.com/en-us/security/blog/2024/09/12/tycoon-2fa-phishing-kit-targets-microsoft-365-and-gmail/

Microsoft Threat Intelligence - Storm-1747 Tycoon2FA PhaaS Platform

https://www.microsoft.com/en-us/security/blog/2024/03/12/tycoon-2fa-phishing-kit-leverages-aitm-attacks/

Microsoft Threat Intelligence - Storm-1747 and the Tycoon2FA PhaaS Platform

https://www.microsoft.com/en-us/security/blog/2024/10/17/storm-1747-and-the-tycoon2fa-phishing-as-a-service-platform/

Trend Micro - Unmasking Tycoon2FA: Linking Cyber Personas to the Real World

https://www.trendmicro.com/en_us/research/24/k/unmasking-tycoon2fa.html

Microsoft Threat Intelligence - Storm-1747 operations and Tycoon2FA PhaaS platform

https://www.microsoft.com/en-us/security/blog/2024/03/12/threat-actors-misuse-oauth-applications-to-automate-financially-driven-attacks/

Cloudflare: Tycoon 2FA – a phishing kit targeting Microsoft 365 and Gmail

https://blog.cloudflare.com/2024-phishing-report/

Microsoft Threat Intelligence: Storm-1747 and the rise of Tycoon2FA

https://www.microsoft.com/en-us/security/blog/2024/01/17/storm-1747-and-the-rise-of-tycoon2fa/

Microsoft Threat Intelligence - Storm-1747 operating Tycoon 2FA phishing-as-a-service at scale

https://www.microsoft.com/en-us/security/blog/2024/10/10/storm-1747-using-tycoon-2fa-phishing-as-a-service-at-scale/

Microsoft Threat Intelligence: Storm-1747 and the rise of Tycoon2FA

https://www.microsoft.com/en-us/security/blog/2024/03/12/tycoon-2fa-phishing-kit-new-variant-targets-microsoft-365-and-gmail-accounts/

Microsoft Threat Intelligence - Storm-1747 Tycoon2FA disruption

https://www.microsoft.com/en-us/security/blog/2025/03/13/interpol-and-partners-disrupt-storm-1747-tycoon2fa-phishing-as-a-service-operation/

Interpol Operation Synergia announcement

https://www.interpol.int/News-and-Events/News/2025/INTERPOL-operation-targets-phishing-as-a-service-platforms

Microsoft Threat Intelligence - Tycoon 2FA phishing kit

https://www.microsoft.com/en-us/security/blog/2024/10/03/tycoon-2fa-phishing-kit-used-in-aitm-attacks-targeting-more-than-100-organizations/

Interpol Operation Synergia II disrupts global cybercrime

https://www.interpol.int/News-and-Events/News/2025/Global-police-operation-targets-cybercriminals-behind-phishing-malware-and-ransomware-attacks

Microsoft Threat Intelligence - Tycoon2FA PhaaS platform disrupted

https://www.microsoft.com/en-us/security/blog/2025/03/20/tycoon2fa-phaas-platform-disrupted/

Interpol Operation Synergia dismantles phishing infrastructure

https://www.interpol.int/News-and-Events/News/2025/Operation-Synergia-dismantles-phishing-infrastructure

Microsoft Digital Defense Report 2024 - Tycoon 2FA PhaaS operation

https://www.microsoft.com/en-us/security/security-insider/intelligence-reports/microsoft-digital-defense-report-2024

Microsoft Security Blog - Interpol operation disrupts major phishing-as-a-service platform

https://www.microsoft.com/en-us/security/blog/2025/03/11/interpol-operation-disrupts-major-phishing-as-a-service-platform/

Microsoft Threat Intelligence - Tycoon 2FA phishing kit

https://www.microsoft.com/en-us/security/blog/2024/10/03/tycoon-2fa-phishing-kit-and-its-ever-evolving-tactics/

Interpol Operation Synergia dismantles phishing infrastructure

https://www.interpol.int/en/News-and-Events/News/2025/Operation-Synergia-dismantles-phishing-infrastructure-targeting-millions

Microsoft Threat Intelligence: Tycoon2FA phishing kit service

https://www.microsoft.com/en-us/security/blog/2024/10/03/tycoon2fa-phishing-kit-service-emerging-phishing-as-a-service-threat/

Interpol Operation Synergia II disrupts phishing operations

https://www.interpol.int/en/News-and-Events/News/2025/Operation-Synergia-II-330-domains-seized-in-global-crackdown-on-online-threats

Microsoft Threat Intelligence - Storm-1747 operates Tycoon2FA phishing kit

https://www.microsoft.com/en-us/security/blog/2024/10/08/microsoft-tackles-tycoon2fa-phishing-as-a-service-platform/

Interpol Operation Synergia II targets cybercrime including phishing platforms

https://www.interpol.int/News-and-Events/News/2025/Operation-Synergia-II-global-crackdown-on-cybercrime

Microsoft Security Threat Intelligence - Storm-1747 Tycoon2FA PhaaS Platform Disrupted

https://www.microsoft.com/en-us/security/blog/2025/03/13/tycoon2fa-phishing-as-a-service-platform-disrupted-in-global-law-enforcement-operation/

Interpol Operation Synergia Targets Global Phishing Operations

https://www.interpol.int/News-and-Events/News/2025/Global-cybercrime-crackdown-targets-phishing-as-a-service-platforms

Microsoft Threat Intelligence - Storm-1747 disruption

https://www.microsoft.com/en-us/security/blog/2025/03/13/operation-synergia-law-enforcement-and-microsoft-disrupt-tycoon2fa-phishing-as-a-service-platform/

Trend Micro - Tycoon2FA Attribution

https://www.trendmicro.com/en_us/research/25/c/tycoon2fa-phishing-as-a-service-platform.html

Microsoft Threat Intelligence - Tycoon 2FA phishing kit

https://www.microsoft.com/en-us/security/blog/2024/10/29/tycoon-2fa-phishing-kit-adds-mfa-bypass-for-microsoft-365-and-gmail/

Interpol Operation Synergia II - Phishing-as-a-Service disruption

https://www.interpol.int/News-and-Events/News/2025/INTERPOL-operation-Synergia-II-cracks-down-on-cybercrime

Interpol Operation Synergia - Phishing Infrastructure Disruption

https://www.interpol.int/News-and-Events/News/2025/Operation-Synergia-global-action-targets-phishing-and-online-fraud

Microsoft Threat Intelligence - Storm-1747 and the Tycoon2FA PhaaS platform

https://www.microsoft.com/en-us/security/blog/2024/12/11/storm-1747-and-the-tycoon2fa-phaas-platform/

Interpol Operation Synergia II disrupts cybercrime infrastructure

https://www.interpol.int/en/News-and-Events/News/2025/Operation-Synergia-II-disrupts-cybercrime-infrastructure

Microsoft Threat Intelligence: Tycoon 2FA phishing kit used in attacks against more than 2,500 Microsoft 365 accounts

https://www.microsoft.com/en-us/security/blog/2024/10/08/tycoon-2fa-phishing-kit-used-in-attacks-against-more-than-2500-microsoft-365-accounts/

Trend Micro: Unmasking Tycoon 2FA: A Comprehensive Investigation into the Developer and the Operation

https://www.trendmicro.com/en_us/research/25/c/unmasking-tycoon-2fa.html

Microsoft Threat Intelligence - Tycoon2FA phishing kit

https://www.microsoft.com/en-us/security/blog/2024/10/03/tycoon2fa-phishing-kit-becoming-popular-among-cybercriminals/

INTERPOL Operation Synergia II targets phishing infrastructure

https://www.interpol.int/en/News-and-Events/News/2025/INTERPOL-led-operation-targets-phishing-infrastructure

Microsoft Security Blog: Tycoon2FA phishing kit enables AiTM attacks at scale

https://www.microsoft.com/en-us/security/blog/2024/10/03/tycoon2fa-phishing-kit-enables-aitm-attacks-at-scale/

Trend Micro: Tycoon2FA Phishing Kit and Its Operators

https://www.trendmicro.com/en_us/research/25/a/tycoon2fa-phishing-kit-and-its-operators.html

Microsoft Threat Intelligence: Storm-1747 and the Tycoon2FA phishing kit

https://www.microsoft.com/en-us/security/blog/2024/10/08/storm-1747-and-tycoon2fa-phishing-kit/

Interpol Operation Synergia II disrupts global cybercrime

https://www.interpol.int/en/News-and-Events/News/2025/Operation-Synergia-II-strikes-at-cybercrime

Microsoft Threat Intelligence - Storm-1747 operates Tycoon2FA phishing platform

https://www.microsoft.com/en-us/security/blog/2024/10/28/tycoon-2fa-a-phishing-kit-targeting-microsoft-365-and-gmail/

Interpol Operation Synergia targets phishing-as-a-service platform

https://www.interpol.int/News-and-Events/News/2025/Operation-Synergia-Interpol-and-private-sector-dismantle-major-phishing-as-a-service-platform

Microsoft Threat Intelligence - Storm-1747 Tycoon2FA PhaaS disruption

https://www.microsoft.com/en-us/security/blog/2025/03/12/storm-1747-tycoon2fa-phaas-disruption/

Interpol Operation Synergia phishing disruption

https://www.interpol.int/News-and-Events/News/2025/Global-operation-targets-phishing-as-a-service-platform

Microsoft Threat Intelligence - Tycoon 2FA phishing kit goes offline after enforcement action

https://www.microsoft.com/en-us/security/blog/2025/03/06/tycoon-2fa-phishing-kit-goes-offline-after-enforcement-action/

Interpol Operation Synergia II

https://www.interpol.int/en/News-and-Events/News/2025/INTERPOL-operation-Synergia-II-targets-phishing-fraud-and-ransomware

Microsoft Threat Intelligence: Tycoon 2FA phishing kit

https://www.microsoft.com/en-us/security/blog/2024/10/10/tycoon-2fa-phishing-kit-observed-in-the-wild/

Interpol Operation Synergia dismantles global phishing infrastructure

https://www.interpol.int/News-and-Events/News/2025/Operation-Synergia-dismantles-global-phishing-infrastructure

Microsoft Threat Intelligence - Tycoon 2FA phishing kit targets Microsoft 365 and Gmail accounts

https://www.microsoft.com/en-us/security/blog/2024/10/08/tycoon-2fa-phishing-kit-targets-microsoft-365-and-gmail-accounts/

Trend Micro - Tycoon 2FA: Diving into the Infamous Phishing Kit

https://www.trendmicro.com/en_us/research/24/k/tycoon-2fa-diving-into-the-infamous-phishing-kit.html

Microsoft Threat Intelligence: Storm-1747 and the evolution of Tycoon2FA phishing kit

https://www.microsoft.com/en-us/security/blog/2024/10/03/storm-1747-and-the-evolution-of-tycoon2fa-phishing-kit/

Interpol Operation Synergia II disrupts global cybercrime

https://www.interpol.int/en/News-and-Events/News/2025/Operation-Synergia-II-disrupts-global-cybercrime

Microsoft Threat Intelligence - Storm-1747 and the Tycoon2FA phishing kit

https://www.microsoft.com/en-us/security/blog/2024/10/08/storm-1747-and-the-tycoon2fa-phishing-kit/

Interpol Operation Synergia II targets phishing platforms

https://www.interpol.int/News-and-Events/News/2025/INTERPOL-operation-targets-phishing-platforms

Microsoft Threat Intelligence - Tycoon 2FA phishing kit

https://www.microsoft.com/en-us/security/blog/2024/10/07/tycoon-2fa-phishing-kit-used-in-extensive-campaigns-targeting-microsoft-365-and-gmail-accounts/

Interpol Operation Synergia on cybercrime infrastructure

https://www.interpol.int/News-and-Events/News/2025/Operation-Synergia-major-cybercrime-infrastructure-targeted

Microsoft Threat Intelligence - Tycoon2FA PhaaS platform disrupted

https://www.microsoft.com/en-us/security/blog/2025/03/11/tycoon2fa-phaas-platform-disrupted/

Trend Micro - Unmasking Tycoon 2FA: The Invisible Phishing Threat

https://www.trendmicro.com/en_us/research/25/a/unmasking-tycoon-2fa.html

Microsoft Security Threat Intelligence: Storm-1747 and the Tycoon2FA PhaaS platform

https://www.microsoft.com/en-us/security/blog/2024/10/10/storm-1747-and-the-tycoon2fa-phaas-platform/

Interpol Operation Synergia: Global police action targets phishing platforms

https://www.interpol.int/en/News-and-Events/News/2025/Global-police-action-targets-phishing-platforms

Microsoft Threat Intelligence - Storm-1747 Tycoon2FA PhaaS disruption

https://www.microsoft.com/en-us/security/blog/2025/03/13/microsoft-partners-with-interpol-to-disrupt-storm-1747-tycoon2fa-phishing-as-a-service-operation/

Interpol Operation Synergia III announcement

https://www.interpol.int/en/News-and-Events/News/2025/INTERPOL-led-operation-takes-down-major-phishing-as-a-service-platform

Microsoft Threat Intelligence - Tycoon 2FA phishing kit

https://www.microsoft.com/en-us/security/blog/2024/10/08/tycoon-2fa-phishing-kit-becoming-popular-among-cybercriminals/

Interpol Operation Synergia II targets phishing infrastructure

https://www.interpol.int/en/News-and-Events/News/2025/INTERPOL-private-sector-join-forces-to-take-down-cybercrime-infrastructure

Microsoft Threat Intelligence - Tycoon2FA phishing kit

https://www.microsoft.com/en-us/security/blog/2024/10/03/tycoon2fa-phishing-kit-targets-microsoft-365-and-gmail-accounts/

Interpol Operation Synergia II - Tycoon2FA Disruption

https://www.interpol.int/News-and-Events/News/2025/INTERPOL-targets-phishing-schemes-in-global-operation

Microsoft Threat Intelligence - Storm-1747 deploys large-scale phishing-as-a-service operation

https://www.microsoft.com/en-us/security/blog/2024/10/03/storm-1747-deploys-large-scale-phishing-as-a-service-operation/

Interpol Operation Synergia disrupts global phishing networks

https://www.interpol.int/News-and-Events/News/2025/INTERPOL-disrupts-global-phishing-networks-in-Operation-Synergia

Microsoft: Storm-1747 and Tycoon 2FA PhaaS Platform Disrupted

https://www.microsoft.com/en-us/security/blog/2025/03/11/storm-1747-and-tycoon-2fa-phaas-platform-disrupted/

Interpol Operation Synergia Announcement

https://www.interpol.int/News-and-Events/News/2025/INTERPOL-led-operation-takes-down-major-phishing-platform

Microsoft Threat Intelligence: Tycoon2FA phishing kit

https://www.microsoft.com/en-us/security/blog/2024/10/03/tycoon2fa-phishing-kit-leveraged-in-large-scale-credential-theft-campaigns/

Interpol Operation Synergia - Phase II Results

https://www.interpol.int/en/News-and-Events/News/2025/INTERPOL-operation-shuts-down-22-000-malicious-IP-addresses

Microsoft Threat Intelligence - Tycoon2FA phishing kit seized in international law enforcement operation

https://www.microsoft.com/en-us/security/blog/2025/03/20/tycoon2fa-phishing-kit-seized-in-international-law-enforcement-operation/

Interpol Operation Synergia II

https://www.interpol.int/en/News-and-Events/News/2025/INTERPOL-operation-targets-global-cybercrime-infrastructure

Microsoft Threat Intelligence - Storm-1747 Tycoon2FA PhaaS disruption

https://www.microsoft.com/en-us/security/blog/2025/03/18/interpol-and-partners-disrupt-tycoon2fa-phishing-as-a-service-platform/

Trend Micro - Tycoon2FA Developer Identity Analysis

https://www.trendmicro.com/en_us/research/25/a/tycoon2fa-phishing-kit.html

INTERPOL announces takedown of Tycoon2FA phishing-as-a-service platform

https://www.interpol.int/en/News-and-Events/News/2025/INTERPOL-announces-takedown-of-Tycoon2FA-phishing-as-a-service-platform

Storm-1747

Overview

Motivations

Target Sectors

Activity Timeline

Quick Facts

MITRE ATT&CK Techniques

Initial Access

Other

Defense Evasion

Tools & Malware

Evilginx2

Modlishka

Custom AiTM phishing kits

Reverse proxy tools

Residential proxy networks

Credential harvesting frameworks

Cloudflare Workers (for phishing infrastructure)

Microsoft Graph API abuse tools

Tycoon2FA

Indicators of Compromise

Infrastructure

References

Storm-1747

Overview

Motivations

Target Sectors

Activity Timeline

Quick Facts

MITRE ATT&CK Techniques

Initial Access

Other

Defense Evasion

Tools & Malware

Evilginx2

Modlishka

Custom AiTM phishing kits

Reverse proxy tools

Residential proxy networks

Credential harvesting frameworks

Cloudflare Workers (for phishing infrastructure)

Microsoft Graph API abuse tools

Tycoon2FA

Indicators of Compromise

Infrastructure

References