Microsoft 365, Azure (SharePoint, OneDrive, Azure Monitor), and Gmail are actively targeted by two converging threat campaigns: Tycoon2FA, a PhaaS operation delivering AiTM session cookie theft that bypasses TOTP and push-based MFA at approximately 30 million emails per month, and a coordinated IRS-impersonation campaign that abuses Microsoft Azure Monitor alert notifications as a callback phishing vector and deploys RMM tools (ConnectWise ScreenConnect, Datto RMM, SimpleHelp) for persistent post-compromise access. Neither campaign exploits a Microsoft product vulnerability directly; the risk is platform abuse via social engineering and trusted infrastructure misuse. Priority actions include enforcing phishing-resistant MFA (FIDO2) for all M365 accounts, auditing for unauthorized RMM installations and mailbox forwarding rules, and implementing Conditional Access token binding policies.