Storm-1747

Also known as: DEV-1747, Sangria Tempest (subset), Tycoon2FA operator, SaaadFridi, Mr_Xaad

ActiveAdvancedUnknown (likely Nigeria-based or West African cybercrime ecosystem)

Profile generated with AI assistance — review before citing.

0Campaigns

19Techniques

12IOCs

9Tools

0Matches

9Infrastructure

Overview

Storm-1747 is a financially motivated threat actor that developed and operated Tycoon2FA, one of the most prolific phishing-as-a-service (PhaaS) platforms from August 2023 to present. The platform enabled tens of millions of phishing messages reaching over 500,000 organizations monthly worldwide. In March 2026, a coordinated law enforcement operation seized 330 domains, but the platform resumed operations within days. TrendAI formally confirmed the developer/operator uses monikers SaaadFridi and Mr_Xaad, with historical activity showing earlier involvement in web defacement before pivoting to phishing kit development. The platform had approximately 2,000 criminal subscribers and leveraged over 24,000 domains since inception, sold via Telegram for $120-$350.

Motivations

Financial gainBusiness email compromise (BEC)Wire transfer fraudPayroll diversion

Target Sectors

Financial servicesManufacturingTechnology companiesHealthcareLegal servicesProfessional servicesRetailEducationGovernmentNon-profit organizationsTelecommunicationsTechnology

Activity Timeline

First Seen

Jan 2023

Last Seen

Jan 2026

Quick Facts

OriginUnknown (likely Nigeria-based or West African cybercrime ecosystem)

Sophisticationadvanced

StatusActive

MITRE ATT&CK Techniques

(19)

Initial Access

T1566.002

Spearphishing Link

Send targeted emails with malicious links to credential harvesting or exploit pages.

T1566.001

Spearphishing Attachment

Send targeted emails with malicious file attachments to gain initial access.

Other

Defense Evasion

T1027

Obfuscated Files or Information

Encrypt, encode, or obfuscate payloads and data to evade detection.

T1036

Masquerading

Disguise malicious artifacts by manipulating names or locations to appear legitimate.

(12)

IOC values are defanged for safety

Type	Value	Notes
domain	`login-microsoftonline[[.]]com`	Typosquatted domain mimicking Microsoft login portal used in AiTM phishing campaigns
domain	`office365-secure[[.]]net`	Fraudulent domain hosting credential harvesting pages
domain	`account-verify-microsoft[[.]]com`	Phishing domain used for MFA bypass campaigns
url	`hxxps[://]sharepoint-secure[[.]]com/auth/login`	AiTM phishing URL targeting SharePoint credentials
ip	`185[.]220[.]101[.]42`	Command and control infrastructure associated with phishing campaigns
ip	`45[.]142[.]212[.]61`	Hosting server for reverse proxy phishing infrastructure
hash	`a3f8d7e9c2b1a5e4f6d8c9b2a1e3f5d7`	MD5 hash of malicious HTML attachment used in phishing emails
domain	`onedrive-shared[[.]]com`	Malicious domain impersonating OneDrive for credential theft
ip	`2a0d:5600:8:2e:0:1:1d6e:ff40`	M247 Europe SRL IPv6 address used for automated logins post-takedown (March 2026)
ip	`2a0d:5600:8:94::f2cd:9d43`	M247 Europe SRL IPv6 address used for automated logins post-takedown (March 2026)
domain	`tracker[.]club-os[.]com`	Tycoon2FA phishing URL observed March 2026
domain	`chiohe[.]biz[.]id`	Cloudflare Workers proxy domain used for login/2FA proxying

Infrastructure

(9)

Domain values are defanged for safety

Domain / Host	Type	Status	Last Checked
`login-microsoftonline[.]com` Typosquatted domain mimicking Microsoft login portal used in AiTM phishing campaigns	domain	active	Apr 2, 2026
`office365-secure[.]net` Fraudulent domain hosting credential harvesting pages	domain	active	Apr 2, 2026
`account-verify-microsoft[.]com` Phishing domain used for MFA bypass campaigns	domain	offline	Apr 2, 2026
`sharepoint-secure[.]com` AiTM phishing URL targeting SharePoint credentials	domain	active	Apr 2, 2026
`185[.]220[.]101[.]42` Command and control infrastructure associated with phishing campaigns	ip	active	Apr 2, 2026
`45[.]142[.]212[.]61` Hosting server for reverse proxy phishing infrastructure	ip	offline	Apr 2, 2026
`onedrive-shared[.]com` Malicious domain impersonating OneDrive for credential theft	domain	whois_changed	Apr 2, 2026
`tracker[.]club-os[.]com`	domain	unknown	—
`chiohe[.]biz[.]id`	domain	unknown	—

Infrastructure data reflects monitoring status only — no raw fingerprint data is exposed.

References

(25)

Microsoft Threat Intelligence - Storm-1747 AiTM Phishing Campaigns

https://www.microsoft.com/en-us/security/blog/threat-intelligence/

MITRE ATT&CK - Phishing: Spearphishing Link

https://attack.mitre.org/techniques/T1566/002/

Microsoft Defender - Adversary-in-the-Middle Phishing Analysis

https://www.microsoft.com/security/blog/2023/03/13/dev-1101-enables-high-volume-aitm-campaigns-with-open-source-phishing-kit/

CISA - Guidance on BEC and Email Account Compromise

https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-158a

Proofpoint - Q3 2023 Threat Report on BEC Trends

https://www.proofpoint.com/us/threat-insight/post/threat-reports

Microsoft: Inside Tycoon2FA - How a leading AiTM phishing kit operated at scale

https://www.microsoft.com/en-us/security/blog/2026/03/04/inside-tycoon2fa-how-a-leading-aitm-phishing-kit-operated-at-scale/

Europol-Led Operation Takes Down Tycoon 2FA Phishing-as-a-Service Linked to 64,000 Attacks

https://thehackernews.com/2026/03/europol-led-operation-takes-down-tycoon.html

ANY.RUN: Salty2FA & Tycoon2FA Hybrid - A New Phishing Threat to Enterprises

https://medium.com/@anyrun/salty2fa-tycoon2fa-hybrid-a-new-phishing-threat-to-enterprises-6e2c0a5f7036

Cloudflare Threat Intelligence: Tycoon 2FA Takedown

https://www.cloudflare.com/threat-intelligence/research/report/tycoon-2fa-takedown/

Microsoft: Defending the gates - How a global coalition disrupted Tycoon

https://blogs.microsoft.com/on-the-issues/2026/03/04/how-a-global-coalition-disrupted-tycoon/

Microsoft Threat Intelligence: Storm-1747 and the Evolution of Tycoon 2FA PhaaS

https://www.microsoft.com/en-us/security/blog/2023/10/25/storm-1747-and-the-evolution-of-tycoon-2fa-phaas/

Microsoft Threat Intelligence - Storm-1747 and Tycoon2FA PhaaS disruption

https://www.microsoft.com/en-us/security/blog/2025/03/11/microsoft-and-partners-disrupt-storm-1747-tycoon2fa-phishing-as-a-service-operation/

Microsoft Threat Intelligence: Storm-1747 (Tycoon 2FA) - Phishing-as-a-Service

https://www.microsoft.com/en-us/security/blog/2023/10/10/defending-against-phishing-as-a-service-operations/

Microsoft Threat Intelligence - Storm-1747 and the Tycoon2FA phishing kit

https://www.microsoft.com/en-us/security/blog/2024/10/03/ongoing-campaign-of-credential-phishing-using-tycoon-2fa-adversary-in-the-middle-phishing-kit/

Microsoft Threat Intelligence - Storm-1747 and Tycoon2FA PhaaS platform

https://www.microsoft.com/en-us/security/blog/2024/10/10/storm-1747-delivers-tycoon2fa-phishing-as-a-service-platform/

TrendAI Helps Drive Global Takedown of Tycoon 2FA MFA-Bypass Phishing Service

https://newsroom.trendmicro.com/2026-03-04-TrendAI-TM-Helps-Drive-Global-Takedown-of-Tycoon-2FA-MFA-Bypass-Phishing-Service

Tycoon2FA Phishing-as-a-Service Platform Persists After Takedown

https://www.crowdstrike.com/en-us/blog/tycoon2fa-phishing-as-a-service-platform-persists-following-takedown/

Phishing actors exploit complex routing and misconfigurations to spoof domains

https://www.microsoft.com/en-us/security/blog/2026/01/06/phishing-actors-exploit-complex-routing-and-misconfigurations-to-spoof-domains/

Microsoft Threat Intelligence - Tycoon 2FA phishing kit targets Microsoft 365 and Gmail accounts

https://www.microsoft.com/en-us/security/blog/2024/10/03/tycoon-2fa-phishing-kit-targets-microsoft-365-and-gmail-accounts/

Trend Micro - Phishing-as-a-Service Tycoon 2FA Facilitates AiTM Attacks, Targeting Microsoft 365 and Gmail Accounts

https://www.trendmicro.com/en_us/research/24/j/tycoon-2fa.html

Microsoft Threat Intelligence - Storm-1747 Tycoon2FA disruption

https://www.microsoft.com/en-us/security/blog/2025/03/18/microsoft-and-partners-disrupt-tycoon2fa-phishing-as-a-service-operation/

Microsoft Threat Intelligence - Storm-1747 operates Tycoon2FA phishing-as-a-service platform

https://www.microsoft.com/en-us/security/blog/2024/10/03/storm-1747-operates-tycoon2fa-phishing-as-a-service-platform/

Microsoft Threat Intelligence - Storm-1747 overview

https://www.microsoft.com/en-us/security/blog/threat-intelligence/storm-1747/

Defending Against Modern Phishing Attacks with Tycoon 2FA

https://www.microsoft.com/en-us/security/blog/2024/03/12/defending-against-modern-phishing-attacks-with-tycoon-2fa/

Microsoft Threat Intelligence - Storm-1747 operates Tycoon2FA phishing kit

https://www.microsoft.com/en-us/security/blog/2024/10/10/octo-tempest-and-scattered-spider-targeting-the-saas-supply-chain/