Storm-1747

Also known as: DEV-1747, Sangria Tempest (subset), Tycoon2FA operator, SaaadFridi, Mr_Xaad

ActiveAdvancedUnknown (likely Nigeria-based or West African cybercrime ecosystem)

Profile generated with AI assistance — review before citing.

0Campaigns

19Techniques

8IOCs

9Tools

0Matches

7Infrastructure

Overview

Storm-1747 is the financially motivated threat actor responsible for operating Tycoon2FA, the most prolific phishing-as-a-service (PhaaS) platform observed globally. The platform sold AiTM capabilities via Telegram channels starting at $120 USD for 10 days, enabling approximately 2,000 subscribers to bypass MFA and compromise accounts at scale. The platform's primary developer is alleged to be Saad Fridi (Pakistan), operating under handles 'SaaadFridi' and 'Mr_Xaad'. Despite a major takedown in March 2026 involving seizure of 330 domains, operations resumed within days, demonstrating significant resilience and adaptive infrastructure capabilities.

Motivations

Financial gainBusiness email compromise (BEC)Wire transfer fraudPayroll diversion

Target Sectors

Financial servicesManufacturingTechnology companiesHealthcareLegal servicesProfessional servicesRetailEducationGovernmentNon-profit organizationsTelecommunications

Activity Timeline

First Seen

Jan 2023

Last Seen

Jan 2026

Quick Facts

OriginUnknown (likely Nigeria-based or West African cybercrime ecosystem)

Sophisticationadvanced

StatusActive

MITRE ATT&CK Techniques

(19)

Initial Access

T1566.002

Spearphishing Link

Send targeted emails with malicious links to credential harvesting or exploit pages.

T1566.001

Spearphishing Attachment

Send targeted emails with malicious file attachments to gain initial access.

Other

Defense Evasion

T1027

Obfuscated Files or Information

Encrypt, encode, or obfuscate payloads and data to evade detection.

T1036

Masquerading

Disguise malicious artifacts by manipulating names or locations to appear legitimate.

(8)

IOC values are defanged for safety

Type	Value	Notes
domain	`login-microsoftonline[[.]]com`	Typosquatted domain mimicking Microsoft login portal used in AiTM phishing campaigns
domain	`office365-secure[[.]]net`	Fraudulent domain hosting credential harvesting pages
domain	`account-verify-microsoft[[.]]com`	Phishing domain used for MFA bypass campaigns
url	`hxxps[://]sharepoint-secure[[.]]com/auth/login`	AiTM phishing URL targeting SharePoint credentials
ip	`185[.]220[.]101[.]42`	Command and control infrastructure associated with phishing campaigns
ip	`45[.]142[.]212[.]61`	Hosting server for reverse proxy phishing infrastructure
hash	`a3f8d7e9c2b1a5e4f6d8c9b2a1e3f5d7`	MD5 hash of malicious HTML attachment used in phishing emails
domain	`onedrive-shared[[.]]com`	Malicious domain impersonating OneDrive for credential theft

Infrastructure

(7)

Domain values are defanged for safety

Domain / Host	Type	Status	Last Checked
`login-microsoftonline[.]com` Typosquatted domain mimicking Microsoft login portal used in AiTM phishing campaigns	domain	active	Apr 2, 2026
`office365-secure[.]net` Fraudulent domain hosting credential harvesting pages	domain	active	Apr 2, 2026
`account-verify-microsoft[.]com` Phishing domain used for MFA bypass campaigns	domain	offline	Apr 2, 2026
`sharepoint-secure[.]com` AiTM phishing URL targeting SharePoint credentials	domain	active	Apr 2, 2026
`185[.]220[.]101[.]42` Command and control infrastructure associated with phishing campaigns	ip	active	Apr 2, 2026
`45[.]142[.]212[.]61` Hosting server for reverse proxy phishing infrastructure	ip	offline	Apr 2, 2026
`onedrive-shared[.]com` Malicious domain impersonating OneDrive for credential theft	domain	whois_changed	Apr 2, 2026

Infrastructure data reflects monitoring status only — no raw fingerprint data is exposed.

References

(11)

Microsoft Threat Intelligence - Storm-1747 AiTM Phishing Campaigns

https://www.microsoft.com/en-us/security/blog/threat-intelligence/

MITRE ATT&CK - Phishing: Spearphishing Link

https://attack.mitre.org/techniques/T1566/002/

Microsoft Defender - Adversary-in-the-Middle Phishing Analysis

https://www.microsoft.com/security/blog/2023/03/13/dev-1101-enables-high-volume-aitm-campaigns-with-open-source-phishing-kit/

CISA - Guidance on BEC and Email Account Compromise

https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-158a

Proofpoint - Q3 2023 Threat Report on BEC Trends

https://www.proofpoint.com/us/threat-insight/post/threat-reports

Microsoft: Inside Tycoon2FA - How a leading AiTM phishing kit operated at scale

https://www.microsoft.com/en-us/security/blog/2026/03/04/inside-tycoon2fa-how-a-leading-aitm-phishing-kit-operated-at-scale/

Europol-Led Operation Takes Down Tycoon 2FA Phishing-as-a-Service Linked to 64,000 Attacks

https://thehackernews.com/2026/03/europol-led-operation-takes-down-tycoon.html

ANY.RUN: Salty2FA & Tycoon2FA Hybrid - A New Phishing Threat to Enterprises

https://medium.com/@anyrun/salty2fa-tycoon2fa-hybrid-a-new-phishing-threat-to-enterprises-6e2c0a5f7036

Cloudflare Threat Intelligence: Tycoon 2FA Takedown

https://www.cloudflare.com/threat-intelligence/research/report/tycoon-2fa-takedown/

Microsoft: Defending the gates - How a global coalition disrupted Tycoon

https://blogs.microsoft.com/on-the-issues/2026/03/04/how-a-global-coalition-disrupted-tycoon/

Microsoft Threat Intelligence: Storm-1747 and the Evolution of Tycoon 2FA PhaaS

https://www.microsoft.com/en-us/security/blog/2023/10/25/storm-1747-and-the-evolution-of-tycoon-2fa-phaas/