TL;DR
- AI-powered phishing now achieves 54% click-through rates, up from 12% — that's a 450% increase in effectiveness
- Tycoon2FA phishing platform infected nearly 100,000 organizations and accounted for 62% of all phishing attempts at its peak
- Attackers use subscription-based phishing-as-a-service that bypasses MFA and sells access by the month
- Your current employee training and email filters are not enough — AI generates hyper-personalized messages that fool even security-aware staff
- lilMONSTER helps businesses implement identity-first security that survives MFA bypass attempts
The New Reality: AI Doesn't Just Write Phishing — It Upgrades It
The conversation about AI in cybersecurity has shifted from "what if" to "how fast." Microsoft's latest threat intelligence reveals that AI is no longer just a tool for attackers — it's embedded across their entire operation [1]. The result isn't more attacks. It's better attacks.
Free Resource
Get Our Weekly Cybersecurity Digest
Every Thursday: the threats that matter, what they mean for your business, and exactly what to do. Trusted by SMB owners across Australia.
No spam. No tracking. Unsubscribe anytime. Privacy
Get the Free Cybersecurity Checklist
A practical, no-jargon security checklist for Australian businesses. Download free — no spam, unsubscribe anytime.
Send Me the Checklist →Consider the numbers: traditional phishing campaigns achieve roughly 12% click-through rates. When AI is embedded into phishing operations, that number jumps to 54% [1]. That's a 450% increase in effectiveness. This isn't about sending more emails. It's about sending emails that actually work.
Why This Happening Now
AI reduces friction across the attack lifecycle. Instead of generic "Urgent: Verify Your Account" messages, AI scrapes your employee's LinkedIn, recent posts, company announcements, and role-specific pain points. It generates lures that reference real projects, use industry terminology, and arrive at times when targets are most likely to click.
The Microsoft Digital Defense Report 2025 documents this shift across reconnaissance, malware development, and post-compromise operations [1]. Attackers haven't changed their objectives — credential theft, financial gain, and espionage — but the precision, persistence, and scale behind them have fundamentally changed.
Related: Machine-Speed Attacks: How 22-Second Handoffs Broke Incident Response
Tycoon2FA: Industrial-Scale Phishing-as-a-Service
Tycoon2FA isn't a phishing kit. It's a subscription platform that generated tens of millions of phishing emails per month [1]. Microsoft's Digital Crimes Unit disrupted the operation in March 2026, seizing 330 domains in coordination with Europol and industry partners [1].
The scale is staggering: Tycoon2FA was linked to nearly 100,000 compromised organizations since 2023 [1]. At its peak, it accounted for 62% of all phishing attempts that Microsoft was blocking every month [1].
How Tycoon2FA Works
Tycoon2FA specialized in adversary-in-the-middle (AitM) attacks designed specifically to defeat multifactor authentication [1]. Here's the terrifying part: it intercepted credentials and session tokens in real time, allowing attackers to authenticate as legitimate users even after passwords were reset [1].
This isn't theoretical. Your MFA doesn't matter when the attacker sits between your employee and the login page, collecting both the password and the session token that bypasses MFA entirely.
The Bigger Shift: Modular Cybercrime
What makes Tycoon2FA different is its structure. Storm-1747 (the threat actor behind Tycoon2FA) wasn't operating alone [1]. This was modular cybercrime:
- One service handled phishing templates
- Another provided infrastructure
- Another managed email distribution
- Another monetized access
These services were composable, scalable, and available by subscription [1]. This is the model that has changed the threat landscape: it's not about a single sophisticated actor; it's about an ecosystem that has industrialized access and lowers the barrier to entry for everyone who plugs into it [1].
That's exactly what AI is doing across the broader threat landscape: making the capabilities of sophisticated nation-state actors available to anyone with a subscription fee.
What This Means for Your Business
Your Perimeter Is Already Breached
If your security strategy assumes you can keep attackers out, that strategy is now obsolete. AI-powered phishing at 54% click-through rates means someone on your team will click. The question isn't if. It's when.
The implications are clear:
- Email filters won't save you — AI generates unique, context-aware messages for every target. No signature-based detection can keep up.
- Security awareness training has limits — even well-trained employees struggle against hyper-personalized AI-generated lures.
- MFA alone is not enough — AitM attacks like Tycoon2FA bypass MFA by intercepting session tokens. You need phishing-resistant MFA (FIDO2/WebAuthn hardware keys) for high-risk accounts.
The Cost of Getting This Wrong
According to IBM's 2025 Cost of a Data Breach Report, the average breach costs $4.88 million globally [2]. Phishing remains the most common initial access vector, involved in 29% of breaches [2].
But the real cost isn't the headline number. It's the operational disruption: business downtime, customer churn, regulatory fines, and the time your team spends responding instead of growing your business.
ISO 27001 SMB Starter Pack — $97
Everything you need to start your ISO 27001 journey: gap assessment templates, policy frameworks, and implementation roadmap built for Australian SMBs.
Get the Starter Pack →How lilMONSTER Helps You Defend Against AI-Powered Phishing
Identity-First Security
We assume the attacker already has valid credentials. Because with AI-powered phishing at these effectiveness rates, they probably will. Our security approach focuses on:
- Zero Trust architecture — every access request is verified, regardless of where it originates
- Phishing-resistant MFA — hardware keys (FIDO2/WebAuthn) for privileged accounts, which AitM attacks cannot bypass
- Conditional access policies — risk-based authentication that adapts to suspicious login patterns
- Least privilege access — limiting what an attacker can do even if they compromise an account
Related: Why AI Governance Is the New Compliance Must-Have
Detection and Response at Machine Speed
When AI accelerates attacks, human-led incident response is too slow. We help you implement:
- Automated threat detection — security tools that flag AitM attempts, unusual session patterns, and credential stuffing attacks
- Playbook-driven response — predefined actions that isolate compromised accounts within minutes, not hours
- Continuous monitoring — 24/7 visibility into identity threats, not just perimeter alerts
Practical, Not Paranoia
Security shouldn't get in the way of running your business. We focus on value-over-fear — protecting what you've built without turning your workplace into a fortress that slows everyone down.
Our approach: scripts-over-complexity, automation over manual processes, and defense-in-depth that actually works for small businesses. Not expensive enterprise software you can't manage. Not fear-based compliance checklists. Practical security that fits your operations.
What You Can Do Right Now
- Enable phishing-resistant MFA for all admin and privileged accounts. Hardware keys (YubiKey, Google Titan, etc.) cost $20-50 per key and protect against AitM attacks.
- Implement conditional access policies that require additional verification for:
- Logins from new devices or locations
- Access from unusual IP addresses
- Privileged operations (password changes, admin actions)
- Audit your user access — remove unused accounts, enforce least privilege, and ensure former employees lose access immediately.
- Test your defenses — run simulated phishing campaigns to see which users are vulnerable, then train them on the specific attacks that worked.
- Plan for the worst — document your incident response process, including who to call, what to isolate, and how to communicate with customers and regulators.
FAQ
AitM phishing is a technique where attackers position themselves between your employee and the legitimate login page. When your employee enters their password and MFA code, the attacker captures both in real time and uses them to log in themselves. This bypasses MFA because the attacker has the valid session token that MFA generates.
Not yet. Microsoft reports that while AI is embedded across the attack lifecycle, there's typically still a human-in-the-loop powering these campaigns [1]. What AI does is reduce friction: it helps attackers research faster, write better lures, and triage stolen data. The fully autonomous AI attack is coming, but today's threat is AI-augmented human attackers.
Costs vary by business size and complexity. A basic setup with phishing-resistant MFA, conditional access policies, and email filtering typically costs $5-15 per user per month for the software, plus one-time implementation costs. Hardware keys are a one-time purchase of $20-50 per user. lilMONSTER can help you design a cost-effective security roadmap that prioritizes the highest-impact controls first.
Small businesses are more vulnerable, not less. Attackers target SMBs because they have weaker security than enterprises but still have valuable data and access to funds. The good news: modern security tools are affordable and cloud-based, meaning small businesses can deploy the same AI-powered defenses as large enterprises. The difference is in implementation — you need practical security that fits your operations, not enterprise complexity.
Signs include: highly personalized phishing emails that reference real projects or recent events, emails from known contacts asking for urgent actions (money transfers, password changes), login attempts from unusual locations, and MFA prompts you didn't initiate. If you suspect AI phishing, don't click anything — contact the supposed sender through a different channel (phone call, known good email address) to verify.
References
[1] Microsoft Security Blog, "Threat actor abuse of AI accelerates from tool to cyberattack surface," Microsoft, April 2, 2026. [Online]. Available: https://www.microsoft.com/en-us/security/blog/2026/04/02/threat-actor-abuse-of-ai-accelerates-from-tool-to-cyberattack-surface/
[2] IBM Security, "Cost of a Data Breach Report 2025," IBM, 2025. [Online]. Available: https://www.ibm.com/reports/data-breach
[3] Microsoft Digital Crimes Unit, "How a global coalition disrupted Tycoon2FA," Microsoft On the Issues, March 4, 2026. [Online]. Available: https://blogs.microsoft.com/on-the-issues/2026/03/04/how-a-global-coalition-disrupted-tycoon2fa/
[4] Microsoft Security Blog, "Inside Tycoon2FA: How a leading AitM phishing kit operated at scale," Microsoft, March 2026. [Online]. Available: https://www.microsoft.com/en-us/security/blog/2026/03/04/inside-tycoon2fa-how-a-leading-aitm-phishing-kit-operated-at-scale/
[5] CISA, "Phishing Infographic," Cybersecurity and Infrastructure Security Agency, 2025. [Online]. Available: https://www.cisa.gov/stopransomware/phishing-infographic
[6] Google Cloud, "Beyond the Password: Why Phishing-Resistant MFA Matters," Google Cloud Security, 2025. [Online]. Available: https://cloud.google.com/blog/products/identity-security/why-phishing-resistant-mfa-matters
[7] FIDO Alliance, "Phishing-Resistant Authentication: An Introduction," FIDO Alliance, 2024. [Online]. Available: https://fidoalliance.org/phishing-resistant-authentication/
[8] Proofpoint, "2025 State of the Phish Report," Proofpoint, 2025. [Online]. Available: https://www.proofpoint.com/us/resources/state-of-the-phish
Your business deserves security that works, not fear-based checklists. lilMONSTER helps you implement practical, identity-first security that defends against AI-powered phishing and MFA bypass. Book a free consultation to discuss your security posture and get a roadmap tailored to your business.
Work With Us
Ready to strengthen your security posture?
lilMONSTER assesses your risks, builds the tools, and stays with you after the engagement ends. No clipboard-and-leave consulting.
Book a Free Consultation →TL;DR
- Bad guys now use AI computer programs to write fake emails that look 100% real
- These AI emails trick 54 out of 100 people into clicking — used to be only 12 out of 100
- They can steal your password AND the special code your phone sends you
- lilMONSTER helps you set up better locks that keep bad guys out, even if they trick your employees
What Is Phishing? (Like a Fake Lock on a Door)
Imagine someone puts a fake lock on your front door. It looks exactly like your real lock. You put your key in, turn it, and the door opens. But here's the trick: the fake lock copied your key while you were using it.
That's how phishing works. Bad guys send fake emails that look like they're from:
- Your bank
- Your boss
- A delivery service
- The tax office
The email says: "Click here to verify your account" or "Your package is delayed, click for details." When you click and type your password, the bad guys copy it.
The Old Way vs. The New Way
Old phishing emails (before AI):
- Had spelling mistakes
- Looked generic — could be sent to anyone
- Said weird things like "Dear Sir/Madam" when your name is Bob
- Were easy to spot if you were careful
New AI phishing emails (what's happening now):
- Have zero spelling mistakes
- Use your real name
- Reference things happening at your company right now
- Sound exactly like your boss or your bank
- Come at the perfect time when you're busy and not paying attention
What Changed: AI Got Really Good at Writing
Think of AI like a robot that's read every email ever written. It learned what makes emails look real. It learned how to sound like your boss. It learned how to sound like your bank.
Now, when bad guys want to trick you, they tell the AI:
"Write an email to someone who works at Bob's Auto Shop. Pretend to be the office manager. Ask them to click a link to update their password for the new accounting system. Make it sound urgent. Mention that Sarah in accounting already did it."
The AI writes a perfect email. It knows about accounting systems. It knows office managers talk differently than bosses. It knows how to make things sound urgent without sounding weird.
The Scary Number: 450% Better at Tricking People
Here's what Microsoft found when they studied millions of emails [1]:
Old phishing emails (no AI): 12 out of 100 people clicked New AI phishing emails: 54 out of 100 people clicked
That's a 450% increase. Imagine if your car suddenly got 450% better mileage. That's a huge jump.
What this means for your business: if someone sends 10 tricky AI emails to your employees, 5 or 6 people will probably click. And it only takes one click to cause big problems.
Meet Tycoon2FA: The Bad Guys' Subscription Service
Here's the wildest part: bad guys don't even write their own fake emails anymore. They pay for a service that does it for them [1].
Tycoon2FA was like Netflix for bad guys:
- Pay a monthly fee
- Get access to fake email templates
- Get the computer systems to send millions of emails
- Get tools to steal passwords AND those special phone codes
Microsoft shut down Tycoon2FA in March 2026, but here's what they found [1]:
- Nearly 100,000 companies were tricked by it since 2023
- At its peak, it sent 62% of all phishing emails in the world
- That's like one bad guy's service sending more than half of all the bad emails worldwide
How They Steal Your Phone Codes Too
You might think: "I have two-factor authentication! They need my phone code too!"
Here's how Tycoon2FA got around that [1]:
- You get a fake email that looks real
- You click and go to a fake login page that looks exactly like your real one
- You type your password
- Your phone buzzes with a code
- You type the code into the fake page
- The fake page sends both to the bad guys
- The bad guys log in as you immediately
The "fake page" sits between you and the real login page, copying everything you type. That's why it's called an "adversary-in-the-middle" attack — the bad guy is in the middle, copying everything [1].
Why Your Business Is a Target
You might think: "I'm just a small business. Why would bad guys target me?"
Here's why: small businesses are easier targets.
Big companies have:
- Whole security teams
- Expensive software that blocks bad emails
- Training programs for employees
- Lawyers and insurance
Small businesses often have:
- One busy person handling IT (if anyone)
- Basic email filters (maybe)
- No training for employees
- No plan for what to do if something bad happens
Bad guys know this. They don't care who you are. They care that you have:
- Bank accounts they can empty
- Employee tax info they can steal
- Customer data they can sell
- Computers they can hold for ransom
What You Can Do: Practical Steps That Actually Work
Step 1: Better Locks (Use Security Keys)
Passwords aren't enough anymore. Even phone codes aren't enough (as you just learned).
Security keys are like special physical keys for your online accounts [6]:
- They're little USB sticks or Bluetooth devices
- You plug them in or tap them when logging in
- Bad guys can't copy them over the internet
- They stop those "middleman" attacks cold
Cost: $20-50 per person. One-time purchase. Popular brands: YubiKey, Google Titan, Feitian.
Step 2: Make It Harder to Log In from Strange Places
Your bank already does this. If you log in from a new computer or a different country, they ask for extra proof.
Your business can do the same thing. Set up rules like:
- If someone logs in from a new device → ask for extra verification
- If someone logs in from a different country → block it until you approve
- If someone tries to change a password → send an alert to your phone
This is called "conditional access" — it means you grant access based on the situation, not just the password [1].
Step 3: Clean Up Your User List
When employees leave, do they still have access to your systems?
When you change IT providers, do they still have passwords?
When you stop using a service, is that account still active?
Every active account is a door. Bad guys only need one open door.
Regularly (every 3-6 months):
- List all user accounts in all your systems
- Remove anyone who shouldn't have access
- Change passwords for accounts you're unsure about
- Turn on "logging" so you can see who's logging in and when
Step 4: Practice (Yes, Really)
Sports teams practice. Fire drills happen. Why not phishing?
You can run fake phishing tests on your own employees:
- Send a test email that looks like a real phishing email
- See who clicks
- Teach the people who clicked what to look for next time
- Don't punish people — this is about learning, not shaming
Companies that do this see click rates drop dramatically over 6-12 months. Training works, especially when it's based on real examples.
Step 5: Have a Plan (Before You Need It)
If someone clicked a bad email, what happens next? Who do you call? What do you turn off?
Write it down. Keep it simple. Something like:
IF someone reports a suspicious email or clicked something weird:
1. Tell [IT person/business owner] immediately
2. Change passwords for affected accounts
3. Check bank accounts for weird charges
4. Call lilMONSTER if you need help
5. Tell employees what happened (without blaming anyone)
6. Learn from it — update your processesHow lilMONSTER Helps
We're not fear-mongers selling expensive software you don't understand. We're practical security people who help small businesses:
- Figure out what you actually need — not what vendors want to sell you
- Set up better locks — security keys, conditional access, least privilege
- Write your security plan — what to do when something goes wrong
- Train your team — in plain language, no tech jargon
- Be there when things go wrong — incident response without the enterprise price tag
We believe security should be like a seatbelt: always there, barely noticeable, but lifesaving when you need it.
FAQ
Training helps, but AI is getting too good. When 54% of people click AI-written phishing emails [1], training alone isn't enough. You need layers of protection: better locks (security keys), smart access rules, and yes — training too. Think of it like securing your house: you don't just rely on remembering to lock the door. You have locks, maybe an alarm, insurance, and good neighbors.
Bad guys cast a wide net. They send millions of emails automatically. They don't hand-pick targets. They rely on volume — send enough fake emails, and someone will eventually click. Small businesses are actually more attractive targets because you have less security than big companies but still have money and data worth stealing.
Basic protection is surprisingly affordable:
- Security keys: $20-50 per person (one-time)
- Better email filtering: $5-10 per user per month
- Conditional access policies: often included in business email/Microsoft 365 plans
- Training: free to low-cost (many free resources available)
The real question is: what does it cost if you don't fix it? IBM says the average data breach costs $4.88 million [2]. For a small business, that could be game-over. A few hundred dollars per year in prevention is cheap insurance.
Here's a simple checklist you can give your employees:
STOP before you click. Ask yourself:
- Was I expecting this email?
- Do I know the sender? (Check the actual email address, not just the display name)
- Is it asking me to click, download, or log in somewhere?
- Is it creating urgency or fear? ("Act now!" "Your account will be closed!")
- Are there spelling mistakes or weird phrasing?
If unsure:
- Don't click
- Contact the sender a different way (call them, Slack them, email them separately)
- Ask your IT person or business owner
Don't panic. Do this immediately:
- Disconnect from Wi-Fi — stop the bad guys from doing more
- Don't restart your computer — evidence might be lost
- Change your passwords from a different device (your phone, a different computer)
- Contact your bank if financial info was involved
- Call a security professional (like lilMONSTER) — we can check what happened and fix it
- Tell your team — so they don't make the same mistake
References
[1] Microsoft Security Blog, "Threat actor abuse of AI accelerates from tool to cyberattack surface," Microsoft, April 2, 2026. [Online]. Available: https://www.microsoft.com/en-us/security/blog/2026/04/02/threat-actor-abuse-of-ai-accelerates-from-tool-to-cyberattack-surface/
[2] IBM Security, "Cost of a Data Breach Report 2025," IBM, 2025. [Online]. Available: https://www.ibm.com/reports/data-breach
[3] National Cyber Security Centre, "Phishing attacks: Guidance for staff," NCSC, 2024. [Online]. Available: https://www.ncsc.gov.uk/guidance/phishing-attacks-guidance-staff
[4] CISA, "Phishing Infographic," Cybersecurity and Infrastructure Security Agency, 2025. [Online]. Available: https://www.cisa.gov/stopransomware/phishing-infographic
[5] Google, "Advanced Protection Program: How it works," Google, 2025. [Online]. Available: https://landing.google.com/advancedprotection/
[6] FIDO Alliance, "Phishing-Resistant Authentication: An Introduction," FIDO Alliance, 2024. [Online]. Available: https://fidoalliance.org/phishing-resistant-authentication/
[7] Krebs on Security, "How Evil GURL Phishers Evicted Microsoft 365 Users," Krebs on Security, 2025. [Online]. Available: https://krebsonsecurity.com/2025/03/how-evil-gurl-phishers-evicted-microsoft-365-users/
[8] KnowBe4, "2025 Phishing by Industry Benchmarking Report," KnowBe4, 2025. [Online]. Available: https://www.knowbe4.com/phishing-by-industry-benchmarking-report
Your business deserves security that doesn't require a PhD to understand. lilMONSTER helps you protect what you've built with practical, affordable security that actually works. Book a free consultation to get started.
lilMONSTER Newsletter
Weekly cybersecurity insights, practical tips, no spam. Unsubscribe anytime.