{"id":26938,"date":"2026-03-09T07:00:07","date_gmt":"2026-03-09T06:00:07","guid":{"rendered":"https:\/\/smecyberinsights.co.uk\/?p=26938"},"modified":"2026-03-10T12:56:58","modified_gmt":"2026-03-10T11:56:58","slug":"defence-as-a-service","status":"publish","type":"post","link":"https:\/\/smecyberinsights.co.uk\/index.php\/2026\/03\/09\/defence-as-a-service\/","title":{"rendered":"The Phishing Platform Europol Shut Down Was Targeting Your Business Every Single Month"},"content":{"rendered":"\t\t
\n\t\t\t\t
\n\t\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t
\n\t\t\t
\n\t\t\t\t\t\t\t\t
\"Partners1_NordVPN\"<\/figure><\/div>
\"Partners3_R3\"<\/figure><\/div>
\"Partners2_Zoho\"<\/figure><\/div>
\"Partners4_Plesk\"<\/figure><\/div>
\"Partners7_Passware\"<\/figure><\/div>
\"Red_Button_Slider\"<\/figure><\/div>
\"ogo2\"<\/figure><\/div>
\"Detection.<\/figure><\/div>\t\t\t<\/div>\n\t\t\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t\t
\n\t\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\n\t\t\t\t\t\t\t\"SECURUS\t\t\t\t\t\t\t\t<\/a>\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t\t
\n\t\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\t\t\t\t
\n\t\t\t\t\t\t\t\t\t\t\t\n\t\t\t\t\t\t\t\"The\t\t\t\t\t\t\t\t<\/a>\n\t\t\t\t\t\t\t\t\t\t\t
Image Credit: Richard Patterson via Flickr<\/figcaption>\n\t\t\t\t\t\t\t\t\t\t<\/figure>\n\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t
\n\t\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t

Gibraltar:\u00a0 Monday, 09 March 2026 \u2013 07:00 CET<\/p>\n

The Phishing Platform Europol Shut Down Was Targeting Your Business Every Single Month
\n<\/strong>By: Iain Fraser<\/a>\u00a0\u2013\u00a0Cybersecurity Journalist
\n<\/a>Published in Collaboration with SECURUS Communications<\/a>
\nGoogle Indexed on: 090326 at 09:45 CET<\/a>
\nSMECyberInsights.co.uk<\/a> | First for SME Cybersecurity News
\n<\/a>#SMECyberInsights #SMECybersecurity #SMECyberInsights #SME #CyberSafe #CyberSecurity #Cybersecurity #PhishingProtection #UKBusiness<\/em><\/p>\n

\ufeff<\/span>\ufeff<\/span><\/p>\n<\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t

\n\t\t\t\t
\n\t\t\t\t\t\t\t\t

In early March 2026, Europol announced the disruption of a sophisticated cybercrime operation that had been enabling attackers to launch large-scale phishing campaigns against businesses worldwide. The platform, known as Tycoon 2FA, was a subscription-based criminal toolkit designed to help attackers steal account access, even from organisations that had put multi-factor authentication in place. Law enforcement action spanned multiple countries, with significant UK involvement, and resulted in the seizure of hundreds of domains used to run the operation.<\/p>\n

This is a meaningful enforcement success. That said, it would be a mistake to treat it as a signal to stand down. The very existence of this platform tells us something important about the current threat landscape: launching a convincing, technically sophisticated phishing attack no longer requires skill, resources or inside knowledge. It requires a subscription.<\/p>\n

What Is Phishing-as-a-Service; and Why Does It Matter to UK Businesses?<\/strong><\/p>\n

Phishing-as-a-Service (PhaaS) refers to ready-made criminal infrastructure, sold or rented to other criminals on a subscription basis. Much like legitimate software platforms, these services come with support, templates, dashboards and regular updates. The buyer does not need to understand how the attack works. They simply pay, target, and deploy.<\/p>\n

Tycoon 2FA was a particularly advanced example. It was built specifically to defeat multi-factor authentication (MFA); the security control that asks users to confirm their identity through a second method, such as a code sent to a mobile phone, in addition to a password. This has long been considered one of the most effective defences against account takeover. The platform circumvented it through a technique called adversary-in-the-middle (AitM) proxying, which places a hidden relay between the user and the legitimate website, intercepting both the password and the real-time authentication code before either reaches its destination.<\/p>\n

Once that authentication session was captured, attackers could steal the session cookie; a small file that keeps a user logged in; and use it to access the account silently, without needing to enter any credentials at all. For a small business whose accounts, documents, client records and financial data all live in cloud platforms such as Microsoft 365 or Google Workspace, the consequences of a single compromised session can be severe.<\/p>\n

The Scale of the Operation<\/strong><\/p>\n

According to Europol, the platform was used to send fraudulent emails to hundreds of thousands of organisations every month. The takedown resulted in the seizure of 330 domains that formed the operational core of the service, including phishing pages and control panels. Several individuals have been identified and legal proceedings are under way across multiple jurisdictions.<\/p>\n

The operation was coordinated through Europol’s Cyber Intelligence Extension Programme (CIEP), which facilitates intelligence sharing between law enforcement agencies and private sector partners. This model of coordinated public-private action is increasingly the standard approach to dismantling global cybercrime infrastructure, and it is producing results. However, enforcement action alone cannot protect UK SMEs. That responsibility sits with every business.<\/p>\n<\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t

\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\"The\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t

What UK SMEs Should Do Right Now<\/strong><\/p>\n

The takedown of this specific platform does not eliminate the threat. Stolen credentials and session cookies captured before the shutdown may still be in active use. Successor platforms will emerge. The controls that protect against this type of attack need to be in place regardless of who is running the criminal infrastructure on any given week.<\/p>\n

Here are five practical steps to take this week:<\/strong><\/p>\n

* Upgrade your MFA method.<\/strong> SMS-based one-time codes are the most vulnerable form of multi-factor authentication. Where possible, move to an authenticator app or, better still, a hardware security key (FIDO2 or passkey). These methods do not transmit a code that can be intercepted in transit, making them significantly more resistant to AitM attacks.<\/p>\n

* Review your email filtering settings.<\/strong> Most SMEs use Microsoft 365 or Google Workspace but leave security settings at default. Both platforms offer enhanced filtering for spoofed domains, suspicious links and unusual sender patterns. A brief review with your IT provider or vCISO could close meaningful gaps at no additional cost.<\/p>\n

* Run a phishing awareness session.<\/strong> The National Cyber Security Centre (NCSC) offers a free tool called Exercise in a Box, designed specifically for small businesses. It requires no specialist IT resource and can be run in under an hour. Even one session measurably reduces the likelihood of staff clicking on fraudulent links.<\/p>\n

* Check your Cyber Essentials status.<\/strong> Cyber Essentials is a UK government-backed certification covering five core controls: firewalls, secure configuration, user access control, malware protection and software patching. These controls, taken together, are designed to prevent the majority of common cyber attacks, including the type that Tycoon 2FA was built to facilitate. It is affordable, credible, and increasingly expected by clients and insurers.<\/p>\n

* Audit shared accounts and inactive users.<\/strong> Given that stolen session cookies may remain active, now is a sensible time to review whether any shared admin accounts exist, whether inactive accounts have been disabled, and whether your cloud platforms restrict logins from unusual locations or devices. These are quick wins that reduce your exposure significantly.<\/p>\n

The Governance Dimension: A Note for Directors and Advisors<\/strong><\/p>\n

For directors and professional advisors, the Tycoon 2FA takedown is a useful prompt to revisit cyber risk at board level. A successful phishing attack on a staff email account can trigger a UK GDPR notification obligation to the Information Commissioner’s Office (ICO) within 72 hours, if the breach involves personal data and is likely to result in risk to individuals. The potential for regulatory, reputational and financial consequences means cyber security sits firmly within the governance responsibilities of every director, not just the IT team.<\/p>\n

For accountants and lawyers advising owner-managed businesses, this is also a moment to raise the question of cyber insurance and whether existing policies reflect the current threat environment. Many policies carry conditions around MFA and basic security hygiene; a claim may be rejected if those conditions are not met.<\/p>\n

Take The Next Step<\/strong><\/p>\n

Download our free SME Cyber Essentials Readiness Checklist to see where your organisation stands against the five core controls that prevent the majority of common attacks. Sign up to the SME Cyber Insights newsletter for weekly threat updates written specifically for UK small businesses, their owners, and the advisors who support them.<\/p>\n<\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t

\n\t\t\t\t\t\t
\n\t\t\t\t\t
\n\t\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\t\t\t\t
\n\t\t\t\t\t\t\t\t\t\t\t\n\t\t\t\t\t\t\t\"SECURUS\t\t\t\t\t\t\t\t<\/a>\n\t\t\t\t\t\t\t\t\t\t\t
<\/figcaption>\n\t\t\t\t\t\t\t\t\t\t<\/figure>\n\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t
\n\t\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t

SECURUS Communications Ltd<\/strong><\/p>\n

Securus<\/a> <\/strong>is a managed communications Operator, providing next-generation network infrastructure and value added services to Managed Hosting providers and the ‘cloud generation’\u200b of enterprises. Securus<\/a> <\/strong>priority is to offer communication services that represent excellent value for money and are backed by exceptional levels of support.<\/p>\n

Contact Securus<\/strong>
\nSecurus Communications Ltd
\nStation Road, Landmark house, Hook, England RG27 9HA, GB
\nT: Enquiries:\u00a003451 283457<\/span><\/a>\u00a0| Service Desk: 03451 283458<\/a>
\nSecurus on LinkedIn<\/a> | Securus on “X”<\/a> | https:\/\/securuscomms.com<\/a><\/p>\n<\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t

\n\t\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t
\n\t\t\t\t

\n\t\t\t\t\t<\/span>\n\t\t\t\t\tLatest Posts from SECURUS Communications<\/span>\n\t\t\t\t\t<\/span>\n\t\t\t\t<\/h2>\n\t\t\t<\/div>
\n\n
\n
\n\n
\n \n \n \"AI-Powered <\/a>\n\n \n