On this page
- How it works
- Toolkit landscape (as-of 2026-03)
- Tycoon 2FA
- Rockstar 2FA
- Evilginx
- Commoditisation trajectory
- Scale and prevalence
- Ecommerce-specific impacts
- The cashout sequence
- The gift card economics
- Why tokenised payment cards are relatively protected
- Real incident: UK fashion retailer SOC (Oct 2024)
- Multistage: ATO Jumping
- Consumer retention impact
- Device code phishing — the FIDO2-circumventing variant
- QR code delivery (quishing) — 2025 variant
- Detection signals
- Prevention controls
- Technical controls
- Brand monitoring
- Incident response
- User training effectiveness
- Key terms
- Frontier links
AitM (Adversary-in-the-Middle) Phishing
AitM (Adversary-in-the-Middle) Phishing
A session hijacking attack that positions a reverse proxy between the victim and a legitimate website, capturing live session cookies in real time — after authentication (including MFA) has completed. The victim logs in normally; the attacker receives the session token and uses it to access the account from a different machine, bypassing authentication entirely.
How it works
AitM phishing differs structurally from credential phishing:
| Attack type | What is stolen | Does MFA protect? | Does FIDO2 protect? |
|---|---|---|---|
| Credential phishing | Password | ✅ (MFA adds layer) | ✅ (origin-bound) |
| Credential stuffing | Replayed password from breach | ✅ (MFA blocks replay) | ✅ |
| AitM proxy | Session cookie post-auth | ❌ (MFA already completed) | ⚠️ (see Device Code variant) |
| Device code phishing | OAuth refresh token | ❌ | ❌ |
In classic AitM:
- Victim receives a phishing link (email, SMS, QR code) pointing to the attacker's reverse proxy server
- Proxy forwards all traffic transparently to the real site
- Victim authenticates, including completing MFA — against the real service
- The real site issues a session cookie to the proxy (which is acting as a legitimate client)
- Proxy delivers stolen cookie to the attacker via Telegram bot push notification — typically within under 60 seconds of victim authentication (Reddit r/cybersecurity, 876 upvotes, 2025-02)
- Attacker imports the cookie into a fraud browser and accesses the account as the victim
Key point (practitioner consensus, 6,406-upvote thread, r/cybersecurity, 2024-09): "MFA protects against stolen credentials. It does not protect against stolen sessions. These are different things." The session cookie exists post-authentication and carries no record of which device or IP it was originally issued to.
Toolkit landscape (as-of 2026-03)
Tycoon 2FA
The dominant PhaaS (Phishing-as-a-Service) kit by volume. Sold on Telegram since 2023 via the "Saad Tycoon Group" channel; subscription $150–200/month (as-of 2026-03). (Proofpoint, 2026-03-04)
Features: synchronous reverse proxy, CAPTCHA gate before phishing page, Microsoft/Google portal branding with target org's AAD logo pulled dynamically. Delivery vectors include malicious email links, QR codes embedded in PDFs, SVG attachments, and HTML attachments. Stolen cookies delivered to attacker via Telegram bot in real time.
Scale (as-of 2026-03-04): over 3 million messages observed by Proofpoint in February 2026 alone; ~100,000 organisations compromised; 64,000+ confirmed phishing incidents before Europol-led disruption in March 2026 (Microsoft seized 330 control panel domains). (Proofpoint, 2026-03-04; Rescana, date unknown)
Version 4 of Tycoon 2FA was in use as of Q1 2025. (r/phishing, 987 upvotes, 2025-04)
Rockstar 2FA
An updated version of the DadSec/Phoenix phishing kit, tracked by Microsoft as Storm-1575. Available on Telegram, ICQ, and Mail.ru for $200 per two-week subscription (as-of 2024-11). (LevelBlue/Trustwave SpiderLabs, 2024-11-26)
Technical differentiator: domain and page HTML are decrypted client-side via AES-CBC; IP-based filtering shows a decoy car-themed page to security researchers rather than the live phishing content; uses Cloudflare Turnstile antibot checks to block automated analysis. Linked to over 5,000 car-themed phishing domains since May 2024. (LevelBlue, 2024-11-26)
Evilginx
The reference open-source AitM framework used by sophisticated/red-team actors and as the technical basis for commercial PhaaS kits. Supports a custom phishlet variant that spoofs a browser user-agent lacking FIDO2 support, forcing target to fall back to non-phishing-resistant MFA — however, this downgrade technique was not observed in the wild as of the source publication date (2025). (Proofpoint/BleepingComputer, 2025)
Proofpoint and BleepingComputer (2025) state the FIDO2 downgrade via Evilginx phishlet "has not been observed in the wild yet." Some secondary sources (e.g. Abnormal Security, 2025) present FIDO2 bypass as a current active threat without this qualifier. The Proofpoint/BleepingComputer primary source is more authoritative. Sources: [BleepingComputer FIDO2 downgrade, 2025] · [Abnormal Security, 2025]
Commoditisation trajectory
"The Evilginx framework is now 5+ years old. What changed in 2023–2024 is that commoditisation happened — Tycoon 2FA, Rockstar 2FA, LabHost all put this capability in the hands of people with zero technical skill. The barrier to entry for AiTM phishing is now near zero." (r/cybersecurity, 987 upvotes, 2024-08)
LabHost (PhaaS targeting retail and banking) was taken down in April 2024. "Within weeks, alternative kits absorbed the demand. The ecosystem is resilient because it's decentralised." (r/fraud, 487 upvotes, 2024-08)
Scale and prevalence
| Metric | Figure | Source |
|---|---|---|
| Orgs experiencing ATO attempts (2025) | 99% | Proofpoint, 2026-03-04 (as-of 2026) |
| Orgs experiencing successful ATO | 67% of those tracked | Proofpoint, 2026-03-04 |
| Successful ATOs where MFA was enabled | 59% | Proofpoint, 2026-03-04 |
| Tycoon 2FA messages (Feb 2026 alone) | 3M+ | Proofpoint, 2026-03-04 |
| AiTM attacks YoY growth (2025) | +46% | Keepnet Labs/Barracuda, 2025 (as-of 2025) |
| PhaaS share of credential attacks (2024) | ~30% | Barracuda Networks, 2024 (as-of 2024) |
| US ATO losses (2024) | ~$16B | AuthX/FTC aggregator, 2025 |
| US adults victimised by ATO (2024) | 29% (~77M people) | AuthX/FTC aggregator, 2025 |
Ecommerce-specific impacts
The cashout sequence
Gift card purchase is the #1 cashout method (~70% of successful ATOs per one fraud ops practitioner, r/fraud, 1,987 upvotes, 2024-12):
- Attacker captures session → loads in fraud browser within 60 seconds
- Checks loyalty balance and stored payment methods
- Email change as persistence play: "once they control the email, they own the account permanently even after session expiry" (r/cybersecurity, 6,406-upvote post, 2024-09)
- Gift card purchase: executed within 20 minutes, sold on secondary markets within an hour
- Loyalty point conversion to gift cards or vouchers (~25% of cases)
- Order manipulation: change delivery address on pending orders (~5%)
- Refund-to-mule: initiate refund to attacker payment method via customer service chat (emerging, r/fraud, 356 upvotes, 2024-12)
2025 evolution: "Some attackers are waiting 24–48 hours post-compromise before attempting cashout, specifically to defeat immediate-post-login fraud rules." (r/fraud, 421 upvotes, 2025-05) This represents an adaptive countermeasure to the most common retailer fraud rule.
The gift card economics
"Gift card purchases from compromised accounts almost always happen within 20 minutes of session capture. By the time fraud ops sees the alert (usually 15–60 min lag), the gift cards have been purchased and often partially redeemed. Chargebacks don't cover points drains." (r/cybersecurity, 498 upvotes, 2025-02)
UK data: compromised ecommerce sessions from major UK fashion retailers with £200+ loyalty balance sell for $5–15 on dark web markets. (r/cybersecurity, 498 upvotes, 2024-08)
Why tokenised payment cards are relatively protected
"Tokenised card storage + CVV requirement is a real defence. Attackers know this and that's exactly why they pivot to loyalty/gift cards — those don't have the same friction." (r/cybersecurity, 534 upvotes, 2024-11)
UK case study (Oct 2024): 23 compromised accounts in a fashion retailer incident (Tycoon 2FA attribution). Total cashout ~£8,400 in gift cards. Payment card misuse: zero — all stored cards were tokenised and required CVV re-entry. (r/cybersecurity, 2,341-upvote post, 2024-11)
Real incident: UK fashion retailer SOC (Oct 2024)
Phishing domain registered 11 days prior using .shop TLD. Infrastructure matched Tycoon 2FA patterns. 23 accounts compromised. Detection signal: newly registered brand-matching domain with valid TLS cert. What worked: gift card velocity rules, tokenised cards, re-auth on email change. What did NOT work: MFA, password complexity, login anomaly detection at point of login. (r/cybersecurity, 2,341 upvotes, 2024-11)
Multistage: ATO Jumping
Some Tycoon 2FA operators use "ATO Jumping" — compromising one email account and using its trusted sender identity to distribute further AiTM phishing URLs to the victim's contacts, enabling chain-reaction account takeover. (Proofpoint, 2026-03-04)
Multistage case (Microsoft, Jan 2026): After AitM against an energy sector user — MFA completed by victim, session captured — attackers created inbox rules to delete incoming emails, then launched a phishing campaign of 600+ emails to the compromised user's contacts within and outside the organisation. (Microsoft Security Blog, 2026-01-21)
Consumer retention impact
80% of consumers will not return to an ecommerce site after experiencing an account takeover. (AuthX/aggregator, 2025)
Device code phishing — the FIDO2-circumventing variant
The OAuth device authorisation grant flow was designed for devices without browsers (smart TVs, IoT). Attackers repurpose it to capture OAuth refresh tokens even from accounts protected by FIDO2/passkeys.
Mechanism:
- Attacker initiates OAuth device code flow on their own device, obtaining a device code and user code
- Victim receives phishing lure (often a QR code on a fake offer page) prompting them to enter the user code at
microsoft.com/deviceloginor equivalent - Victim authenticates with their passkey against the real IdP (correctly — no credential theft)
- OAuth token grant (including refresh token) lands in the attacker's device session
- Attacker holds a refresh token with days-to-months lifetime — persists even after password change
"Post-exploitation in device code phishing: the attacker gets a refresh token, not just a session cookie. Revoking OAuth grants is the remediation but most end users don't know how to do this." (r/cybersecurity, 356 upvotes, 2025-06)
Red team evidence: Simulation against a retail client using Sign in with Google: 3 out of 12 users authorised the device code (dressed as a QR code login prompt on a fake offer page). All 3 had passkeys. None were protected. (r/cybersecurity, 387 upvotes, 2025-06)
Key quote: "FIDO2 is excellent protection against credential phishing and classic AiTM. It is not protection against device code phishing." (r/cybersecurity, 3,654-upvote post, 2025-01)
FIDO2/passkeys DO protect against classic Evilginx-style AiTM (origin binding prevents credential transmission to a proxy domain) [r/cybersecurity, 3,654 upvotes, 2025-01]. FIDO2/passkeys do NOT protect against device code phishing (victim authenticates against the real IdP; the OAuth grant goes to the attacker) [r/cybersecurity, 4,888 upvotes, 2025-05; 3,977 upvotes, 2025-06]. Both are technically correct — different attack vectors targeting different phases of authentication. Sources: [r/cybersecurity/1htq3dg, 3,654 upvotes] · [r/cybersecurity/1kvxs09, 4,888 upvotes] · [r/cybersecurity/1l9q6u4, 3,977 upvotes]
Framing note: A Google employee on a personal account noted that "'Phishing resistant' has a specific technical meaning in NIST and CISA frameworks that refers to credential phishing. It does not mean resistant to all phishing-adjacent attacks. The terminology has been adopted in marketing contexts that strip that nuance." (r/cybersecurity, 1,432 upvotes, 2025-01)
Practical fix: Disable device code grant type in IdP configuration where possible. "Device code flow should never have been left enabled by default for general web auth." (r/cybersecurity, 1,432 upvotes, 2025-06) Conditional Access policies with token protection also recommended. (Microsoft, 2026-01-21)
QR code delivery (quishing) — 2025 variant
"Victims conditioned not to click links; QR codes feel different. On mobile, browser URL bar is small and often unchecked." (r/phishing, 743 upvotes, 2025-05) AitM operators shifted to QR code lures in 2025 for both classic proxy attacks and device code delivery.
Detection signals
What actually works (practitioner-confirmed):
| Signal | Effectiveness | Notes |
|---|---|---|
| Concurrent same-session logins from 2 IPs | Strong | Fleeting — requires real-time monitoring; most orgs miss it |
| Impossible cookie presentation (new IP/UA before legitimate issuance) | Strong | Requires server-side session issuance logging |
| Navigation velocity: <90 seconds login→gift card | Very strong | Legitimate users: 3–8 minutes. Few false positives. |
| Gift card purchase velocity from accounts with no prior gift card history | Very strong | Rare false positive profile |
| Loyalty redemption immediately after login | Strong | Combine with new device/IP signal |
| Newly registered brand-matching domain (<30 days, valid TLS cert) | Moderate | 2–5 alerts/week for active brand; ~20% confirmed AitM infrastructure |
| SessionId matching across different IPs | Forensic only | Primary indicator post-incident; not real-time |
What does NOT work:
- MFA success signal — attacker's proxy completed MFA on behalf of victim
- Login anomaly detection / device fingerprinting at login — session was legitimately created on victim's device
- Password complexity requirements
- SameSite, HttpOnly, HTTPS on cookies — none constrain a cookie transmitted to a reverse proxy
Proxy latency (~200ms overhead on AitM proxy): theoretically detectable signal, but "almost impossible to detect client-side... Server-side you can't see it at all. This detection vector is basically theoretical for most orgs." (r/cybersecurity, 543 upvotes, 2025-02)
Prevention controls
Technical controls
Device Bound Session Credentials (DBSC) — became generally available in Chrome on Windows on 25 May 2026 (gradual rollout, up to 60 days). Binds session cookies cryptographically to device TPM/Secure Enclave; a stolen cookie cannot be replayed from a different machine. Google reports "significant reduction in session theft" for sessions protected by DBSC during rollout. (Google Workspace Updates, 2026-05-28) Gaps: macOS on roadmap only; mobile browsers unsupported; per-site server implementation required; no TPM falls back to standard behaviour. See Session Hijacking for full DBSC analysis.
DBSC protects against stolen session cookies from AitM proxy or infostealer, but does not protect against device code phishing or refresh token theft — "once an attacker holds a refresh token, DBSC has no authority over the subsequent session." (SpyCloud, date unknown) Sources: [SpyCloud DBSC explainer] · [Google Workspace Updates, 2026-05-28]
Step-Up Authentication — re-authentication requirements on sensitive account actions are the highest-practitioner-signal prevention control:
- Email address change
- Payment method addition/change
- Gift card purchase
- Loyalty redemption
- High-value order
- New device login
Attacker has the session cookie but not the password. Requiring password re-auth for these actions stops the attack at the point of maximum damage. "Soft re-auth (modal, not full logout): >95% completion from legitimate users; hijackers abandon." (r/ecommerce, 378 upvotes, 2025-12; cited in Session Hijacking page)
Session lifetime controls:
- Short idle timeout (2–4hr): reduces window significantly
- Short absolute lifetime (24hr): prevents long-persistent session abuse
- Prevents attackers who wait 24–48hr post-compromise from using stale sessions
Security practitioners advocate aggressively for short session lifetimes (2–4h idle, 24h absolute) as a high-impact control [r/cybersecurity, 743 upvotes]. UX/ecommerce practitioners counter that "platforms make a deliberate business decision to accept the fraud risk rather than add auth steps" because auth friction causes measurable conversion drop-off [r/cybersecurity, 1,432 upvotes]. Quantified conversion impact of short sessions not found. No resolution — explicit business tradeoff. Sources: [r/cybersecurity/1fxjuew, 743 upvotes] · [r/cybersecurity/1fxjuew, 1,432 upvotes]
Velocity controls confirmed effective:
- 24-hour loyalty redemption delay after any account change or new device login → 60% loyalty fraud reduction (one practitioner, r/fraud, 498 upvotes, 2024-12)
- 4-hour gift card purchase cooling-off after account change / new device login → eliminates most attack value from impatient actors (r/fraud, 543 upvotes, 2024-12)
Tokenised card storage with CVV re-entry requirement: Confirmed by UK case study — zero payment card misuse across 23 AitM-compromised accounts. (r/cybersecurity, 2024-11)
Continuous access evaluation (CAE): Allows identity providers to revoke session tokens near real-time on risk signals (Microsoft Azure). Recommended as complementary control by Microsoft. (Microsoft Security Blog, 2026-01-21)
Disable device code grant type in IdP: Prevents device code phishing variant. "Device code flow should never have been left enabled by default for general web auth." (r/cybersecurity, 2025-06)
Brand monitoring
Monitor for newly registered domains matching brand keywords. Domain age <30 days with valid TLS cert = high-confidence IOC. Practitioner reports 2–5 such alerts/week, ~20% confirmed AitM infrastructure. (r/cybersecurity, 2,341-upvote post, 2024-11)
Incident response
Password reset alone is insufficient — must also:
- Revoke ALL active sessions — attacker may have multiple tokens
- Check for and revoke attacker-added MFA methods (attackers can add their own OTP/phone during the session)
- Delete suspicious inbox rules (deletion rules hiding attacker emails)
- Force step-up re-auth on next login
- Lock pending orders/payment changes 24hr
- Notify via email + push
"Attackers can add new MFA methods (e.g., OTP to attacker's phone) to maintain access even after password reset." (Microsoft Security Blog, 2026-01-21) This is the mechanism behind "phantom re-compromise" where accounts appear secured but remain accessible.
User training effectiveness
Strong practitioner consensus that user training has limited value for AitM specifically: "The 'spot the phish' model is essentially dead for this attack class. In 2024, 67% of people who completed MFA and still got compromised reported that the phishing page looked completely legitimate and they had no reason to suspect it." (r/cybersecurity, 6,406-upvote post, 2024-09) This view is broadly held and uncontested across the sourced threads. AitM proxy pages serve the real site's content — detecting them requires URL vigilance, not content inspection.
Key terms
| Term | Meaning |
|---|---|
| AitM | Adversary-in-the-Middle — attack inserting a proxy to intercept post-auth session cookies |
| PhaaS | Phishing-as-a-Service — subscription model for AitM toolkits (Tycoon 2FA, Rockstar 2FA) |
| Tycoon 2FA | Dominant PhaaS AitM kit; 3M+ messages/month (Feb 2026) |
| Rockstar 2FA | DadSec/Phoenix AitM fork; $200/2-week subscription (2024) |
| Device code phishing | AitM variant using OAuth device flow; bypasses even FIDO2/passkeys |
| ATO Jumping | Using a compromised account to distribute further AitM phishing to contacts |
| Quishing | QR code-based AitM phishing delivery |
| CAE | Continuous Access Evaluation — real-time session revocation on risk signals |
| DBSC | Device Bound Session Credentials — Chrome's post-auth cookie-binding mechanism (GA May 2026) |
Frontier links
- Loyalty Fraud — dominant cashout mechanism from AitM; 24-hour delay control
- Gift Card Fraud — primary liquid cashout target; sub-20-minute window
- Device Bound Session Credentials (DBSC) — the architectural fix; Chrome GA May 2026; platform adoption 2–3yr horizon
- Step-Up Authentication — highest-practitioner-signal prevention; re-auth on sensitive actions
- Continuous Access Evaluation (CAE) — real-time session revocation; Microsoft Azure
- OAuth Device Code Phishing — distinct concept from classic AitM; FIDO2-circumventing
- ATO Jumping — chain-reaction ATO via compromised sender; BEC intersection
- Quishing (QR Code Phishing) — 2025 delivery mechanism shift
- Smishing (SMS Phishing) — 40% uplift in AitM conversion vs email (practitioner report)
- Refresh Token Theft — device code phishing payload; longer lifetime than session cookies