AitM Phishing 2026: How Starkiller and Tycoon 2FA Bypass Your MFA

In early March 2026, two events put MFA bypass back in the spotlight. Europol dismantled Tycoon 2FA — the world's largest phishing-as-a-service platform — while a new suite called Starkiller demonstrated that AitM phishing has evolved from a sophisticated nation-state technique into a commodity SaaS product anyone can buy. The message is clear: if your organization relies on TOTP, push notifications, or SMS for MFA, it is not phishing-resistant . Here's how these attacks work and what actually stops them. How AitM Phishing Works Traditional phishing clones a login page and captures credentials. AitM phishing is fundamentally different — it doesn't clone anything. It proxies the real site . Victim → [Attacker's Reverse Proxy] → Real Login Page (Microsoft 365, Google, etc.) ↑ captures everything ↑ - passwords - TOTP codes - push notification approvals - session cookies The victim sees the legitimate website. They enter their real password, approve their real MFA prompt, and get logged in