The 2024–2026 AitM Phishing-as-a-Service Market: Tycoon, EvilProxy, Mamba, Greatness

Why This Matters Now

Reverse-proxy phishing kits arrived in earnest in 2022 and matured into a subscription-style market across 2024 and 2025. The shift mattered because it broke the pattern that defenders had relied on for a decade: that credential phishing pages were static clones of identity-provider login screens, distinguishable by URL inspection or visual hash. A reverse-proxy kit relays the real provider page to the victim and the real victim back to the provider, completing the multi-factor exchange and harvesting the issued session token. The lure is no longer the artifact. The kit is.

By 2026, the kit ecosystem looks less like a malware family and more like SaaS. Operators rent access. Authors maintain infrastructure rotation, captcha-bypass refreshes, and victim-targeting features. Because the operator is detached from the kit author, attribution fragments — the same kit appears across financially motivated, espionage-adjacent, and opportunistic activity within the same week.

Shape of the Trend

The kit families that dominate public reporting are Tycoon 2FA (operated by the cluster Microsoft tracks as Storm-1747), EvilProxy (covered consistently by Proofpoint after Resecurity's original 2022 disclosure), Mamba 2FA (documented by Sekoia in 2024), and Greatness (originally written up by Cisco Talos in 2023 and tracked across vendors since). They share a common architecture — reverse-proxy front, victim-specific URL paths, captcha gating to deter automated takedown — and differ primarily in lure customization, pricing tier, and which identity providers they target.

Tycoon 2FA is the most-discussed of the group across 2024 and 2025 vendor reporting. Sekoia has published several deep dives into its URL-path schema and JavaScript bundle structure. Microsoft has tied an operator cluster to its sale and operation. EvilProxy has held a more enterprise-targeting posture per Proofpoint's coverage. Mamba 2FA appeared as an active competitor in mid-2024 per Sekoia. Greatness has remained associated with Microsoft 365 credential theft across the same period.

Timeline 2024 → 2026

Public reporting documents a steady arrival rather than discrete events. EvilProxy was the public-facing leader through 2023. Tycoon 2FA scaled significantly across 2024 in Sekoia and Microsoft tracking. Mamba 2FA appeared in Sekoia's reporting as an active competitor in the same window. Through 2025 and into 2026, the kit population diversified rather than consolidated; operators move between kits as features and prices change.

TTPs in Detail

The reverse-proxy mechanic is consistent. The victim arrives at an attacker-controlled domain that mirrors the identity-provider login page byte-for-byte because it is, in fact, that page — proxied. Credentials submitted by the victim are forwarded to the provider; the multi-factor challenge issued by the provider is forwarded back to the victim; the victim's response goes through the proxy; and the session cookie issued at the end of the exchange is captured by the proxy before being passed on. The attacker leaves with a valid session, often with refresh-token-class durability when the victim authorizes a long-lived consent.

Kit operators commonly target first-party Microsoft client identifiers because those clients inherit broad default scopes on Microsoft Graph and Exchange Online. The same pattern applies to Google Workspace targeting where reported. Lure delivery uses email, SMS, Microsoft Teams external chat, and abused trusted infrastructure depending on the customer.

What Worked, What Didn't

The technique succeeded against environments that relied primarily on URL inspection, brand training, and SMS-based MFA. It also succeeded broadly against TOTP and push-based MFA when the victim completed the prompt during the live session. The technique did not succeed where the second factor was phishing-resistant — FIDO2 security keys and platform passkeys complete authentication against the legitimate provider's origin only, and a reverse proxy at a different origin cannot satisfy the challenge. Conditional Access policies that require compliant or hybrid-joined devices on sensitive applications also broke the chain after token theft, because the captured token was not bound to a registered device.

What stopped working from the operator side is more interesting. URL-similarity blocklists were never very effective against well-resourced kits, which rotate domains daily. But across 2024 and 2025, public reporting suggests defenders had increased success matching kits at the JavaScript-bundle and URL-path layer, surviving infrastructure rotation. Operators responded by introducing per-customer bundle randomization, with mixed results.

Where It's Heading

Public reporting through early 2026 indicates the kit market is fragmenting rather than consolidating. New kits appear; older kits split or rebrand. The defender posture that survives this trend treats kits as a class rather than chasing instances: phishing-resistant authentication on identity-critical accounts, Conditional Access on session lifetime and device posture, and detection that operates at the kit-fingerprint and identity-provider-telemetry layers rather than the lure layer.