![[FI] The Exploit Part 2](https://mortgageworkspace.com/hs-fs/hubfs/blog-images/exploit-pt2-the-phish-hero.jpg?width=1200&height=571&name=exploit-pt2-the-phish-hero.jpg)
In This Article
In March 2026, Microsoft Threat Intelligence published a detailed breakdown of Tycoon2FA — a phishing-as-a-service platform that sends tens of millions of phishing emails per month, targets over 500,000 organizations worldwide, and defeats every standard form of multi-factor authentication. The platform comes pre-loaded with pixel-perfect Microsoft 365 login page templates. Any attacker with a subscription can launch targeted campaigns against financial institutions without writing a single line of code.
This is Part 2 of a four-part series tracking the cyber kill chain that credit unions, banks, and mortgage companies face today. In Part 1: The Leak, we traced how stolen credentials and social media reconnaissance give attackers everything they need to build a target profile. Now those credentials become weapons.
Tycoon2FA: The Phishing Kit That Defeats MFA
Traditional phishing steals passwords. Tycoon2FA steals entire authenticated sessions — and it does it at industrial scale.
The platform operates as a subscription service on underground forums. Buyers get a complete toolkit: pre-built phishing page templates that mirror Microsoft 365, Google Workspace, and major financial platforms. The templates are updated regularly to match design changes on the real login pages. When a credit union employee, bank teller, or mortgage processor clicks a phishing link, they see an exact replica of their real login screen.
But Tycoon2FA isn't a static phishing page. It's a real-time proxy that sits between the victim and the legitimate Microsoft 365 login server.
Victim Clicks Phishing Link
Employee receives a targeted email — invoice, shared document, vendor portal update. The link opens a pixel-perfect clone of their Microsoft 365 login page.
Credentials Relayed in Real Time
Victim enters their username and password. Tycoon2FA instantly forwards these to the real Microsoft login server through its proxy. The real server responds normally.
MFA Token Captured
The real server prompts for MFA. The victim enters their code — SMS, authenticator app, or push notification. Tycoon2FA captures the MFA response and relays it within seconds. The real server issues an authenticated session token.
Session Hijacked
Tycoon2FA captures the session token. The victim sees a "session timeout" error. The attacker now holds a fully authenticated session — they ARE the victim. No password or MFA code is needed again.
Mailbox Rules Set
The attacker sets email forwarding rules to intercept incoming messages from specific senders — vendors, title companies, borrowers. They monitor communications silently, waiting for high-value transactions.
This is why MFA alone is not enough. Tycoon2FA defeats SMS codes, authenticator apps, and push notifications. The only authentication method that resists this attack is FIDO2 security keys or passkeys, which validate the domain before releasing credentials. If the domain doesn't match, the key refuses to authenticate — and the proxy can't fake the domain validation.
Why NYDFS Part 500 Is Forcing the Issue
The New York Department of Financial Services amended Part 500 to require universal multi-factor authentication for all individuals accessing any information system — not just remote access or privileged accounts. The first annual certification covering universal MFA is due April 15, 2026. But the regulation doesn't specify phishing-resistant MFA. Credit unions, banks, and mortgage companies that deploy only SMS-based MFA meet the letter of the rule while remaining fully vulnerable to Tycoon2FA-style attacks. The institutions that deploy FIDO2 keys or passkeys meet both the letter and the intent.
How Adversary-in-the-Middle Attacks Actually Work
Understanding AiTM attacks requires understanding what MFA actually protects — and what it doesn't.
Standard MFA adds a second factor to authentication: something you know (password) plus something you have (phone, authenticator app). This blocks credential stuffing and brute force attacks effectively. If an attacker only has the stolen password from a dark web dump, MFA stops them cold.
But AiTM attacks don't replay stolen credentials later. They relay them in real time. The proxy captures both the password and the MFA code within the same authentication session, passes them to the real server, and intercepts the session token that comes back. From that point forward, the attacker operates with a fully authenticated session — no credentials needed.
Real-World Scenario: A Loan Processor Receives a "Shared Document" Notification
A loan processor at a mid-size mortgage company receives an email that appears to come from a colleague: "I've shared the updated borrower verification checklist with you. Click here to review."
The link opens what looks exactly like the company's SharePoint login. The processor enters credentials and MFA.
Thirty seconds later, the attacker has the session token. They set an inbox rule to forward all emails from title companies to an external address and begin monitoring for upcoming closings with wire transfer instructions.
The processor notices nothing — the "shared document" redirects to a real SharePoint page after authentication. Everything feels normal. The compromise won't be discovered until a borrower's down payment disappears.
Microsoft Threat Intelligence documented Tycoon2FA targeting over 500,000 organizations across every major industry, with financial services among the most targeted sectors. The platform's pre-built Microsoft 365 templates make it trivially easy to target any organization that relies on the Microsoft ecosystem — which includes the vast majority of credit unions, banks, and mortgage companies in the United States.
Is Your MFA Phishing-Resistant?
Most financial institutions rely on SMS or authenticator-based MFA that AiTM attacks bypass in seconds.
The $19.6 Million BEC Scheme That Targeted 231 Closings
AiTM phishing provides the access. Business email compromise turns that access into money. Babatunde Ayeni demonstrated exactly how devastating that combination can be.
Babatunde Ayeni BEC Ring — $19.6 Million Stolen
Over four years, Ayeni's team phished title company employees and real estate agents across the United States. Once inside their email accounts, they monitored closing communications — watching for the exact moment when wire transfer instructions would be sent. At the right moment, they sent fraudulent wire instructions from what appeared to be the legitimate title company email. 231 victims lost a combined $19.6 million in stolen down payments and closing funds. Over 400 additional victims were targeted but intercepted. Ayeni was sentenced to 10 years in federal prison in November 2024.
Sources: DOJ Press Release (Nov 2024), Ars Technica, MPA Magazine
Ayeni's scheme was devastatingly simple. His team didn't hack firewalls or exploit zero-day vulnerabilities. They phished one email account at a title company, then monitored that inbox silently for weeks — sometimes months. They learned the communication patterns: who sends wire instructions, what the standard email format looks like, when closings are scheduled.
Then, at exactly the right moment — hours before a real closing — they sent wire transfer instructions from the compromised email account to the buyer. The instructions looked identical to legitimate ones. The routing number was different. The buyer wired their down payment to an account controlled by Ayeni's network. By the time anyone realized the money went to the wrong place, it had been moved through multiple accounts and withdrawn.
The Down Payments That Vanished
The Ayeni case represents the organized end of mortgage closing fraud. But individual cases tell the human story — families who lost their life savings in a single wire transfer.
| Victim | Location | Amount Lost | How It Happened | Outcome |
|---|---|---|---|---|
| First-time homebuyer | Spokane, WA | $34,000 | Spoofed loan officer email with wire instructions sent before real instructions arrived | Down payment lost — wired to fraudulent account |
| Borrower | Cincinnati, OH | $7,542 | Fake title company email included agent's photo, knew exact closing date and amount | Down payment lost — discovered too late to recover |
| Real estate buyer | Central Washington | $700,000 (nearly) | Fake title company email with wire instructions during real estate transaction | Intercepted by local sheriff's office before completion |
In every case, the attackers knew specific details about the transaction — the closing date, the amount, the title company involved, and the names of the people sending and receiving instructions. That level of detail doesn't come from guessing. It comes from sitting inside a compromised email account, reading every message, and waiting for the right moment.
Ayeni's team didn't hack firewalls. They phished one email account at a title company, then waited — sometimes months — for the right closing to redirect. The attack was patient, precise, and devastating.
The FBI's Internet Crime Complaint Center reported $2.8 billion in BEC losses across all sectors in 2024, with an average wire transfer request of $83,099 — up 97% from the previous quarter. Real estate transactions remain among the highest-value targets because the wire amounts are large, the timing is predictable, and the parties involved expect to receive wire instructions by email.
Breaking the Second Link: Phishing-Resistant Authentication
The controls that break the phishing link in the kill chain fall into two categories: preventing the phish from succeeding, and detecting when it does.
FIDO2 security keys and passkeys. The only MFA method that Tycoon2FA and similar AiTM kits cannot defeat. FIDO2 keys validate the domain before releasing credentials — if the domain doesn't match the registered service, the key refuses to authenticate. The proxy can't fake domain validation. For credit unions, banks, and mortgage companies handling wire transfers, FIDO2 keys are the highest-impact single control you can deploy.
Microsoft Defender for Office 365. AI-driven analysis catches phishing emails that reference real vendor names, mimic legitimate invoice formats, and bypass standard spam filters. Safe Links rewrites URLs to route through Microsoft's real-time scanning before the user reaches the destination. Safe Attachments detonates suspicious files in a sandbox before delivery.
Conditional Access in Entra ID. Block sign-ins from unmanaged devices, suspicious locations, or non-compliant endpoints. Even if an attacker captures a session token through AiTM, Conditional Access can invalidate that token if the access attempt comes from an unrecognized device or geography.
Email forwarding rule monitoring. The first thing an attacker does after compromising an email account is set forwarding rules to intercept incoming messages. Guardian monitors for new forwarding rules, impossible travel logins, and MFA token replay attempts in real time. A new forwarding rule on a loan officer's account at 2 AM triggers an immediate alert — not a log entry that someone reviews next week.
Purview Data Loss Prevention. Flag emails containing sensitive borrower information — SSNs, bank account numbers, loan application data — sent to unverified external addresses. Even if an attacker controls an internal email account, DLP policies prevent them from exfiltrating borrower data or sending wire instructions to unauthorized recipients.
ABT deploys these controls across 750+ credit unions, banks, and mortgage companies on a pure Microsoft stack. No third-party email security tools that create their own supply chain risk. Guardian's monitoring catches the behavioral patterns that signal a compromised account — email forwarding changes, unusual login geography, bulk data access — and responds before the attacker can act on their access.
Kill Chain Status — Part 2 of 4
Recon [>>> PHISH >>>] Breach > Heist
The credentials stolen in Part 1 have been weaponized into a successful phishing attack. The attacker now holds an authenticated session. In Part 3: The Breach, that access becomes a foothold for supply chain attacks and lateral movement — when your vendor gets hacked, you get hacked.
Don't Let Your Next Closing Become a Case Study
Guardian monitors email forwarding rules, impossible travel logins, and MFA token replay attempts in real time. ABT deploys phishing-resistant authentication across 750+ credit unions, banks, and mortgage companies.
Frequently Asked Questions
Adversary-in-the-middle (AiTM) phishing uses a real-time proxy server that sits between the victim and the legitimate login page. When the victim enters credentials and an MFA code, the proxy relays them to the real server instantly, capturing the authenticated session token. This defeats standard MFA — SMS codes, authenticator apps, and push notifications — because the attacker doesn't need the password or code again. They ride the stolen session token directly. FIDO2 security keys and passkeys resist this attack because they validate the domain before releasing credentials. If the domain doesn't match, the key refuses to authenticate.
Financial institutions should run phishing simulations at least monthly, using scenarios tailored to financial services workflows like invoice approvals, wire transfer requests, and vendor portal updates. Research shows 32% of untrained employees fall for phishing scams. Monthly simulations with immediate feedback reduce click-through rates over time and build pattern recognition. The FTC Safeguards Rule requires continual security awareness training for all staff handling customer information — annual checkbox training does not meet this standard.
Microsoft 365 includes Defender for Office 365 with Safe Links, Safe Attachments, and anti-phishing policies that use machine learning to detect impersonation attempts. Exchange Online Protection filters known malicious senders and domains. Conditional Access policies in Entra ID can block sign-ins from suspicious locations or unmanaged devices. Data Loss Prevention rules flag emails containing sensitive borrower information sent to unverified external addresses. These controls are included in most E3 and E5 licenses but require proper configuration — ABT activates and monitors them across 750+ financial institutions.
The New York Department of Financial Services amended Part 500 to require universal multi-factor authentication for all individuals accessing any information system — not just remote access or privileged accounts. This covers cloud applications, on-premise systems, third-party tools, and vendor access. The first annual certification covering universal MFA is due April 15, 2026. Entities that are not certified by that date risk enforcement action including fines up to $100,000 per violation. The regulation does not currently mandate phishing-resistant MFA specifically, but institutions deploying only SMS-based MFA remain vulnerable to AiTM attacks.
Attackers compromise a title company or real estate agent's email account through phishing, then silently monitor communications for upcoming closings. They learn the participants, the closing date, and the expected wire amount. At exactly the right moment — usually hours before the legitimate wire instructions are sent — the attacker sends fraudulent wire instructions from the compromised email account. The instructions look identical to legitimate ones, but the routing number directs the funds to an attacker-controlled account. The Ayeni BEC ring used this technique to steal $19.6 million from 231 victims between 2020 and 2024. Out-of-band verification — calling the title company at a known phone number to confirm wire instructions — is the primary defense.
