What's happening in email security: March 2–8, 2026

Europol Dismantles Tycoon 2FA, Seizing 330 Domains Across 6 Countries

This is the biggest enforcement win in the adversary-in-the-middle (AitM) phishing space in years.

Tycoon 2FA had been operating since August 2023, run by Saad Fridi out of Pakistan, and selling via Telegram for around $120/month. By mid-2025, it accounted for 62% of all AitM-style phishing that Microsoft blocked globally. Microsoft's own reporting puts the volume at more than 30 million emails blocked in a single month.

The platform ran as a transparent reverse proxy. A target clicked a phishing link and was served the actual login page from Microsoft, Google, or whatever the lure was mimicking. Everything passed through attacker infrastructure. Credentials, OTPs, and session cookies were captured simultaneously, in real time. Users saw no difference from the legitimate page because they were technically interacting with it.

Evasion was built in. Domains rotated every 24 to 72 hours, browser fingerprinting screened out security researchers, and keystroke monitoring gave early warning if a target paused.

This week's operation covered six countries (Latvia, Lithuania, Portugal, Poland, Spain, and the UK), seized 330 domains, and took the service offline. The disruption covered 64,000+ confirmed phishing incidents and approximately 96,000 distinct victims.

Two things are worth flagging. Healthcare and education took disproportionate damage. The indictment documents disruptions to patient care and school operations in New York. On the defensive side, hardware security keys and passkeys were confirmed resistant to this attack class. SMS-based and TOTP-based MFA were not.

Starkiller AitM Platform Is Already Competing for the Market Tycoon Leaves Behind

The Jinkusu threat group's Starkiller platform runs the same subscription model as Tycoon 2FA, and it's already active.

The technical approach differs slightly. Starkiller uses headless Chrome in Docker containers to proxy live login pages in real time. The phishing page isn't a replica of the target site; it's the actual page served through attacker infrastructure. Security vendors can't fingerprint it because there's nothing artificial to fingerprint. Credentials, OTPs, and session tokens are captured simultaneously.

Current campaigns target North American businesses, financial institutions, and 1Password users. Starkiller competes directly with EvilProxy in the AitM subscription market. The commoditization of MFA-bypassing phishing tools is fully intact.

Microsoft Warns OAuth Redirect Abuse Is Delivering Malware to Government Targets

Microsoft flagged active phishing campaigns abusing OAuth's redirect mechanism to deliver malware to government and public-sector organizations.

The email lures include e-signature requests, Teams recording notifications, and financial themes. The link looks like a legitimate OAuth authorization URL from Entra ID or Google Workspace. The redirect URI points to attacker-controlled infrastructure. From there, ZIP archives trigger a PowerShell chain, DLL sideloading via steam_monitor.exe, and ransomware components. Some campaigns also route to EvilProxy for session token theft alongside malware delivery.

Target email addresses are encoded directly in the OAuth parameters, which boosts perceived legitimacy in the lure. Because the URL references trusted identity-provider domains, it may appear credible to users and some defenses. Email authentication confirms the sender, not the safety of the destination behind a clicked link.

.arpa DNS and IPv6 Are Being Weaponized to Bypass Phishing Defenses

Infoblox disclosed a technique that weaponizes the .arpa DNS namespace to embed phishing links that evade domain reputation checks.

Attackers obtain IPv6 address blocks via tunneling services, then create A records pointing ip6.arpa hostnames to phishing infrastructure. Those hostnames are embedded as image links in phishing emails. In the campaigns Infoblox analyzed, the malicious link was hidden behind an image. The .arpa namespace carries no WHOIS data, no domain age, and an implicit clean reputation that blocklists don't challenge. Cloudflare and Hurricane Electric nameservers obscure the infrastructure further. A traffic distribution system pre-screens targets before redirecting. The same campaign also abused CNAME hijacking of education, government, and retail domains, some exploited more than 100 times per day since September 2025.