This campaign is a precision operation built on commercial services and commodity criminal tools, and it can be accessed with a few hundred dollars and a Telegram account. The infrastructure is disposable, replaceable, and difficult to distinguish from normal business email traffic at the network level.

Why this is high-risk phishing

This campaign is more dangerous than traditional botnet‑driven phishing because it relies almost entirely on properly configured commercial infrastructure and avoids many of the technical signals that security controls are designed to detect. For example:

Infrastructure

• Use of standard enterprise email delivery services rather than compromised hosts
• Properly authenticated domains with valid SPF, DKIM, and DMARC alignment
• Cloud-hosted phishing infrastructure with no prior abuse reputation
• No reliance on known botnet IP ranges or previously abused networks

Delivery

• Low‑volume, targeted delivery that avoids burst or spray‑and‑pray patterns
• Clean SMTP headers and standard mail routing paths
• No rapid IP or domain churn commonly associated with botnet operations

Content and interaction

• Contextual lures tied to corporate policy and compliance workflows
• Multi‑step redirect chains designed to frustrate automated analysis
• Adversary‑in‑the‑middle proxies that operate inline with genuine Microsoft authentication flows rather than static credential capture pages

These characteristics contrast sharply with botnet‑driven phishing campaigns. Helpful signals like reputation-based indicators, malformed delivery paths and reused phishing templates are largely absent here.

Specific takeaways for MSPs

Managed service providers operate at the intersection of identity, access and scale. A single successful AiTM phishing event can potentially provide attackers with access to multiple customer environments through delegated administration, shared tooling or elevated service accounts. The following steps highlight ways MSPs can better protect themselves and their clients from attacks where traditional controls and assumptions may fall short.

Audit your clients’ MFA implementations. SMS codes, authenticator app one-time passwords (OTPs), and push-based MFA are all vulnerable to AiTM session hijacking. Conditional access policies that evaluate device compliance, IP location, and sign-in risk can reduce exposure in the near term, but the definitive fix is phishing-resistant authentication. Begin planning migrations to FIDO2 security keys or passkey-based authentication for privileged accounts first, then expand to the broader user base.

Treat PhaaS fragmentation events as an acceleration of risk, not a reduction. The Tycoon 2FA takedown didn’t shrink the threat — it distributed it. Multiple kits with overlapping capabilities are now competing for operator market share. That means more operators, more campaigns, more technique variation, and less predictable infrastructure. Signature-based detection will fall further behind.

Review email security stacks for AiTM-specific detection gaps. Can your email security solution detect when a legitimate email delivery service is being used to send phishing from properly authenticated attacker-controlled domains? Can it inspect PDFs for embedded links? Can it evaluate post-click redirect chains through CAPTCHA gates? If the answer to any of these is no, you have a gap this campaign would exploit.

Prepare clients for the “code of conduct” lure. Ensure they train employees to verify unexpected HR or compliance messages through a separate channel before clicking anything.

Monitor for post-compromise signals aggressively. Don’t wait for a phishing email to be caught. Monitor for anomalous sign-in properties, impossible travel and other unusual activity. AiTM attacks are fast-moving — the window between session hijack and attack damage can be measured in minutes, not hours.

Communicate with clients about the MFA gap. Many clients still believe MFA makes them safe from phishing. This campaign is a concrete, well-documented example that proves otherwise. Use it to start the conversation about phishing-resistant authentication, conditional access and layered identity protection.

For MSPs, campaigns like Code of Conduct highlight a shift from prevention-first thinking to resilience-first outcomes. When phishing activity blends into common infrastructure and authentication flows, the question is no longer whether every attack can be stopped, but how much damage occurs when one gets through. Limiting blast radius through identity boundaries, constrained privileges, and rapid response becomes the defining measure of security effectiveness. Resilience depends on containing the impact of an attack before a single compromised user turns into a multi‑tenant incident.