Tax season has always attracted opportunistic phishing campaigns. But what Microsoft Threat Intelligence documented in February and March 2026 is a different beast entirely — technically sophisticated, operationally industrialised, and specifically engineered to defeat the security controls that most organisations rely on.

In a single campaign on February 10, 2026, attackers sent phishing emails to more than 29,000 users across 10,000 organisations. Every single recipient received a unique attachment — personalised with their name and a unique QR code — making traditional hash-based detection useless. Three weeks later, Microsoft and Europol dismantled Tycoon 2FA, the phishing platform responsible for 62% of all phishing attempts Microsoft blocked by mid-2025.

The takedown is significant. But the attack patterns Tycoon 2FA industrialised are not going away. They are already being replicated by other platforms. This post breaks down exactly how these campaigns work, why M365 defences are structurally blind to them, and what intent-based detection actually catches that pattern-matching cannot.

What Microsoft Threat Intelligence Actually Found

Between January and March 2026, Microsoft documented multiple overlapping tax-themed campaigns. Three stand out for their technical sophistication.

Campaign 1: The 29,000-user W-2 surge (February 10, 2026)

This campaign, sent in two waves over a nine-hour window, targeted financial services (19%), technology (18%), and retail (15%) — but the real targeting was by role. Accountants and tax preparers were the primary victims.

Each email contained a PDF attachment with a W-2 lure. Inside that PDF was a QR code — but not a static one. The QR code was unique per recipient, embedding the target's own email address into the URL. This served two purposes: it personalised the attack to increase credibility, and it defeated URL reputation systems that rely on seeing the same malicious URL appear in multiple emails before flagging it.

The QR code led to a credential harvesting page built on the SneakyLog PhaaS platform — a Microsoft 365 sign-in page replica capable of capturing both credentials and 2FA codes in real time.

Campaign 2: Energy365 + OneDrive lures (February 5–6, 2026)

A second campaign used the Energy365 phishing kit — one of the most prolific platforms Microsoft tracks, responsible for hundreds of thousands of malicious emails daily. What made this campaign distinctive was its use of legitimate infrastructure.

Attackers hosted malicious payloads on OneDrive. They required multiple rounds of user interaction before the actual credential harvest, specifically to defeat automated sandbox analysis. A sandbox will typically abandon a chain after one or two steps — attackers built the kill chain to require three or four deliberate human actions before the phishing page appeared.

Campaign 3: IRS impersonation via Eventbrite (February 23 and 27, 2026)

This campaign sent several thousand emails using Eventbrite — a legitimate event platform — to make the sending domain appear trustworthy. The subject line referenced a cryptocurrency tax form, and the email body contained a non-clickable URL that, when manually pasted, downloaded either the ScreenConnect or SimpleHelp remote monitoring tool.

This is not credential theft. This is remote access installation. Once ScreenConnect or SimpleHelp is running on a machine, an attacker has persistent, silent access to the environment regardless of what security controls exist at the email layer.

The pattern across all three campaigns is identical: use legitimate infrastructure, personalise the lure, make automated detection fail at every step, and trust that the user's own authentication will complete the attack for you.

Tycoon 2FA: What It Was and Why the Takedown Doesn't End the Threat

On March 4, 2026, Microsoft's Digital Crimes Unit, working alongside Europol and 11 security firms across six countries, seized 330 domains that powered Tycoon 2FA's infrastructure.

The scale of what was taken down is staggering: Tycoon 2FA sent approximately 87.5 million phishing messages between October 2025 and January 2026 alone, targeting more than 500,000 organisations globally every month. Over 100 Health-ISAC members were compromised, causing delayed patient care in New York hospitals. SpyCloud analysis of exposed panel data revealed more than 173,000 unique email addresses and 264,000 passwords — roughly 80% from enterprise Microsoft 365 or Google Workspace accounts.

The platform worked as an Adversary-in-the-Middle (AiTM) proxy. Rather than serving a static fake login page, Tycoon proxied the real Microsoft 365 or Gmail login page to the victim in real time. When the user entered their credentials and MFA code, Tycoon passed them to the legitimate service, received the authenticated session token, and stole it before it ever reached the victim's browser.

MFA was not a defence. SMS codes, authenticator apps, and push notifications were all bypassed. The session token — not the password — was the prize.

Why the takedown is significant but not sufficient

The infrastructure is down. The platform's developer, believed to be Saad Fridi operating under the handles SaaadFridi and Mr_Xaad, has been identified. But the 2,000 subscribers who paid $120–$350 per month to access Tycoon's capabilities still exist. The techniques — AiTM proxying, QR code lures, personalised attachments, multi-step kill chains — are well-documented and being replicated by other platforms including Energy365 and SneakyLog, both of which are actively running campaigns right now.

Tycoon 2FA is gone. AiTM phishing is not. The playbook has been open-sourced by its own success.

Why Microsoft 365's Native Defences Are Structurally Blind to These Attacks

This is not a criticism of Microsoft. It is a structural reality of how email security has been built for the last 20 years.

Microsoft Defender for Office 365 — and every Secure Email Gateway before it — operates on signal-based detection. It looks for known bad indicators: malicious URLs in reputation databases, file hashes matching known malware, sending domains on blocklists, SPF/DKIM/DMARC failures.

The campaigns documented above were specifically engineered to produce none of these signals:

• Unique QR codes per recipient — no repeated URL to build reputation on
• Legitimate infrastructure (OneDrive, Eventbrite) — trusted sending domains
• Multi-step kill chains — defeat sandbox automation
• AiTM proxying — the login page IS the real Microsoft page, just proxied
• Personalised attachments — unique hashes per recipient defeat signature matching

When there are no bad signals, signal-based detection produces nothing. The email arrives in the inbox. The user sees a convincing, personalised lure. The attack succeeds.

What Intent-Based Detection Catches That Pattern-Matching Cannot

The fundamental question signal-based detection never asks is: what is this email trying to make the recipient do, and is that action legitimate given the context?

A tax season phishing email targeting an accountant has a very specific intent pattern. It creates urgency around a financial or regulatory action, it requests credentials or personal information, it provides a mechanism (QR code, link, attachment) to complete that action outside of the user's normal workflow, and it impersonates a trusted authority to reduce friction.

None of those intent signals require a known-bad URL. None of them require a flagged file hash. They are visible in the content and behavioural context of the email itself — but only to a system that is actively reasoning about what the email is asking for and whether that request makes sense.

This is the core architectural difference between Generation 2 behavioural tools and Generation 3 LLM-native detection. Behavioural tools ask: is this sender behaving unusually compared to their baseline? Intent-based tools ask: is the action this email is requesting consistent with legitimate business context?

A first-contact email from a brand-new external sender asking a finance team member to scan a QR code to verify their tax filing information has no behavioural baseline to compare against. But the intent analysis is unambiguous — this is a social engineering attempt with financial gain as the objective.

Pattern-matching looks for what attackers have done before. Intent reasoning looks at what this specific email is trying to accomplish right now. That distinction is why AiTM campaigns that evade every signature check can still be caught at the intent layer.

What Security Teams Should Do Right Now

The Tycoon 2FA takedown has disrupted one platform. Energy365 and SneakyLog are still running. Tax season lures will remain active through April 15. Here is what is actionable immediately for security teams right now:

For security operations teams

• Assume MFA is not sufficient protection against credential theft. AiTM attacks capture authenticated session tokens, not passwords. Conditional Access policies requiring compliant devices and restricting session lifetimes provide meaningful additional defence.
• Add QR code scanning education to your user awareness programme specifically for this season. Most users do not know that a QR code in a tax document email is a red flag — pattern-matching tools do not flag it either.
• Treat legitimate infrastructure senders (OneDrive sharing notifications, Eventbrite, DocuSign) with elevated scrutiny for the next 60 days. Attackers have specifically learned that these domains bypass blocklists.
• Review your email security stack for explainability. If your tool cannot tell you why it blocked or allowed a specific email, you cannot investigate the close calls — and with AiTM campaigns, the close calls are the ones that matter.

For CISOs and IT leaders

• The Tycoon 2FA takedown is not a reason to reduce vigilance. It is a signal that the PhaaS ecosystem is mature, well-funded, and will reconstitute itself. 2,000 former subscribers are actively looking for alternative platforms.
• Consider whether your current email security architecture can answer the question: what was this email trying to make our user do? If your tooling cannot answer that question, you have a detection gap that signature updates cannot fill.
• The ROI case for intent-based detection has never been clearer. A single successful AiTM attack that harvests an executive's M365 session token costs far more to remediate than the annual cost of a Gen 3 detection layer.

Final Thoughts

The campaigns Microsoft documented this tax season are not anomalies. They are the current state of industrialised phishing. Personalised QR codes, legitimate infrastructure abuse, multi-step kill chains, and AiTM MFA bypass are now commodity capabilities available to any cybercriminal willing to pay $120.

The Tycoon 2FA takedown is a meaningful disruption. But the techniques it popularised are documented, replicated, and actively in use by competing platforms today. Signal-based detection — whether that is a Secure Email Gateway, Microsoft Defender, or a Generation 2 behavioural tool — cannot reliably detect attacks that produce no signals by design.

The question worth asking your current vendor is simple: if an attacker sends your CFO a personalized, tax-themed email with a unique QR code, hosted on a legitimate domain, from a sender your organisation has never seen before — what exactly does your tool look at to decide whether to let it through?

If the answer involves URL reputation, file hash matching, or sender anomaly scoring, you have your answer about the gap.

Frequently Asked Questions

Q1: Can MFA protect against these tax phishing attacks?

Standard MFA — SMS codes, authenticator apps, and push notifications — does not protect against Adversary-in-the-Middle (AiTM) attacks like those used by Tycoon 2FA. Because AiTM platforms proxy the real Microsoft 365 login page in real time, the user completes a genuine MFA challenge and the attacker captures the authenticated session token before it reaches the victim’s browser. The only MFA methods that resist AiTM attacks are phishing-resistant options: FIDO2 hardware security keys and certificate-based authentication. Microsoft’s own advisory specifically recommends implementing phishing-resistant MFA via Entra ID Conditional Access authentication strength policies.

Q2: Why are attackers using QR codes instead of regular links?

QR codes bypass the two main email security controls that catch malicious links: URL reputation scanning and Safe Links rewriting. When a phishing URL is embedded in a QR code image, email security tools cannot extract or analyse it. The scan also happens on the user’s mobile device — outside the corporate security perimeter — where endpoint protection is typically weaker. Attackers now generate unique QR codes per recipient so no two emails contain the same URL, producing zero reputation signal. The FBI formally classified this technique — known as quishing — as a high-confidence, MFA-resilient identity intrusion vector in its January 2026 Flash advisory.

Q3: Does the Tycoon 2FA takedown mean these attacks are over?

No. The infrastructure has been seized but the 2,000 subscribers who paid for the service are actively seeking alternatives. The techniques Tycoon 2FA deployed — AiTM proxying, unique QR code lures, multi-step kill chains, and legitimate infrastructure abuse — are already replicated by competing platforms including Energy365, SneakyLog, and RaccoonO365, all actively running campaigns today. The Phishing-as-a-Service ecosystem is resilient by design: when one platform is taken down, subscribers migrate within days. The takedown disrupts one operator; it does not retire the attack methodology.

Q4: Why are attackers using legitimate platforms like OneDrive and Eventbrite?

Secure Email Gateways rely on domain blocklists. Domains like onedrive.live.com, eventbrite.com, and amazonaws.com are globally trusted and will never appear on a blocklist. By hosting malicious payloads through these platforms, attackers inherit their trust reputation — the email arrives from a trusted sender, links point to trusted infrastructure, and every signal-based detection layer passes it through. Multiple PhaaS platforms have now built legitimate infrastructure abuse directly into their campaign templates as a standard feature, making it commodity-level capability rather than advanced tradecraft.

Q5: How should my organisation report a tax phishing email?

For IRS-themed phishing, forward to phishing@irs.gov and report at IRS.gov/SubmitATip. For broader incidents, report to CISA at cisa.gov/report. Within your organisation: isolate the affected device if a QR code was scanned or a link was clicked, reset credentials and active sessions, and review Conditional Access logs for session token anomalies. If your email security platform cannot tell you whether a message was analysed for intent — not just checked against URL blocklists — that is the detection gap worth closing before April 15.

Sources

Microsoft Security Blog: When tax season becomes cyberattack season (March 19, 2026)

Microsoft Security Blog: Inside Tycoon 2FA — How a leading AiTM phishing kit operated at scale (March 4, 2026)

Cloudflare Threat Intelligence: Tycoon 2FA Takedown (March 2026)

CyberScoop: Global coalition dismantles Tycoon 2FA phishing kit (March 4, 2026)

Cybersecurity News: Tycoon 2FA Phishing Kit Disrupted by Microsoft, Europol and Partners

Want to see how StrongestLayer's TRACE engine analyses email intent in real time? Book a 20-minute demo and we'll show you exactly how it would have handled the campaigns described in this post — using your own email environment.

‍