#CyberWeekly

On March 16, Europol and Microsoft announced the dismantling of Tycoon 2FA — one of the world's largest phishing-as-a-service platforms, with one particularly nasty trick: it bypasses multi-factor authentication. In Belgium alone, around 500 individuals and businesses were among its 96,000 victims worldwide.

• How it bypasses MFA: rather than sending you to a fake login page, Tycoon 2FA acts as a real-time proxy between you and the legitimate site. You complete your MFA challenge normally — and hand your live session token straight to the attacker. Your 2FA code is captured as you type it. This is why MFA alone is not a complete defence
• Scale of the operation: active since at least 2023, the platform ran 96,000 attacks globally — more than 55,000 against Microsoft 365 customers. Targets included hospitals, research institutions, and government bodies across Europe. Microsoft seized 330 domains that formed its core infrastructure
• Belgian footprint: the Federal Computer Crime Unit collaborated in the Belgian leg. Arrests were made in Egypt and Nigeria; the developer was identified in Pakistan. This was the first time Europol coordinated directly with Microsoft on a takedown of this kind
• What this means for your SME: MFA is still vastly better than no MFA — but adversary-in-the-middle attacks defeat it. Hardware security keys (FIDO2/passkeys) are the next step. Check your Microsoft 365 sign-in logs for unrecognised sessions from 2023 onwards. If you run on Microsoft 365, your IT partner should review conditional access policies

Read more about how two-factor authentication works and why it still matters. And check your phishing defences — training your team to recognise adversary-in-the-middle attacks is now essential.

This week we shipped the biggest UX change in Easy Cyber Protection's history: Calm Compliance — a guided journey that takes you from your first question all the way to your audit submission, one document at a time. No more staring at 34 controls wondering where to begin.

• Start with an assessment: answer five questions about your organisation (sector, size, existing measures) and ECP calculates your required CyFun compliance level automatically. No consultant needed, no guesswork
• An ordered compliance program: instead of a flat list of controls, you now get a structured document library — Step 1: Scope Document, Step 2: Security Policy, Step 3: Risk Assessment, and so on. Each step shows live status and has a procedure template ready to fill
• Policy Wizard with AI drafts: click "Draft Policy" on any document, answer a few questions about your situation, and ECP writes a tailored policy draft in seconds. AI runs on Cloudflare — your data stays in Belgium
• Cascade engine: approve your Scope document and ECP automatically creates the linked controls and procedures that depend on it. One action, multiple results — your program builds itself as you work through it
• Focus queue: your home screen now shows exactly what to do next — not a list of everything, just your next three actions. Compliance without the overwhelm

The April 18 NIS2 self-assessment deadline is three weeks away. If you haven't started yet, read the compliance roadmap to understand what's involved — then let the new guided journey walk you through it, one document at a time.

In early March, Belgian ethical hacker Inti De Ceukelaire received a phishing text impersonating Argenta bank — and instead of deleting it, he decided to fight back. What followed was a weeks-long infiltration of a live phishing gang, the takedown of 7 active campaigns, and the near-identification of the suspects: a group of Moroccan university students stealing Belgian bank credentials.

• How he got in: after entering fake card details on the phishing site, De Ceukelaire inspected the page source and found a URL pointing to the admin panel. Phishing panels often trust requests from 127.0.0.1 (localhost) because the attacker tested it on their own machine — so he spoofed that IP using Burp Suite and walked straight in, no password needed
• What he saw: a live real-time dashboard where the attacker could watch victims type their details and prompt them for additional authentication tokens step by step — like a remote-controlled scam. Logos present for Argenta, Belfius, KBC, ING, CBC and several other European banks
• How he killed the campaigns: he deleted the Telegram bot integration to silence attacker alerts, took over a WordPress installation on the same server, downloaded a backup containing the attackers' IP addresses and Telegram metadata, then modified the panel's code to block all non-Moroccan IPs and display a victim warning instead
• Who was behind it: the backup revealed residential IPs from Morocco and a French university. OSINT lookups connected those IPs to social media profiles of young technical students flaunting cars and jewellery. Four Telegram group members identified. De Ceukelaire has shared his evidence and is calling for law enforcement action

The uncomfortable truth: anyone who received that Argenta SMS and entered their real card details lost money. Your team needs to know that no bank will ever SMS you to update your card reader. And if something feels off, the right move is always to hang up and call back on a verified number.