Responding to a Tycoon2FA phishing campaign at a NERC CIP utility

Last summer during my internship at North Carolina’s Electric Cooperatives, we got hit by a phishing campaign that turned out to be more sophisticated than it first appeared. This is a chronological walkthrough of how it was detected, how the attack evolved across multiple waves, and what containment looked like from the inside. Background Tycoon2FA is a phishing-as-a-service platform that specializes in adversary-in-the-middle (AiTM) attacks. Rather than stealing a password directly, it proxies the victim through a fake Microsoft login page and captures the session cookie after MFA is completed — bypassing multi-factor authentication entirely. It’s been widely used in Business Email Compromise campaigns and is sold as a kit on cybercrime forums. ...

May 7, 2026