FISA

  A coordinated disruption effort seized this week the infrastructure tied to the operations of phishing-as-a-service (PhaaS) Tycoon 2FA. Over 300 domains tied to Tycoon 2FA were seized in an operation led by Microsoft and Europol and supported by other law enforcement agencies, as well as private organizations such as CloudFlare, Coinbase, Crowell, eSentire, Health-ISAC, Intel471, Proofpoint, Resecurity, The Shadowserver Foundation, SpyCloud, and TrendAI™.  Researchers from TrendAI™ have been tracking the infrastructure, as well as the campaigns and operator behaviors that can be linked to Tycoon 2FA to build a clearer picture of how its services was being used at scale. By November 2025, TrendAI™ had collected enough data to link the operation to an actor using the monikers “SaaadFridi” and “Mr_Xaa...

Microsoft is warning of an increase in adversary-in-the-middle (AiTM) phishing techniques, which are being propagated as part of the phishing-as-a-service (PhaaS) cybercrime model. In addition to an uptick in AiTM-capable PhaaS platforms, the tech giant noted that existing phishing services like PerSwaysion are incorporating AiTM capabilities. "This development in the PhaaS ecosystem enables attackers to conduct high-volume phishing campaigns that attempt to circumvent MFA protections at scale," the Microsoft Threat Intelligence team said in a series of posts on X (formerly Twitter). Phishing kits with AiTM capabilities work in two ways, one of which concerns the use of reverse proxy servers (i.e., the phishing page) to relay traffic to and from the client and legitimate website and stealthily capture user credentials, two-factor authentication codes, and session cookies. A second method involves synchronous relay servers. "In AiTM through synchronous relay servers the t...