Anatomy of a Modern Phishing Kit

The phishing kit is no longer a single HTML page that scrapes a password. Modern kits are reverse proxies that sit between the victim and the real login portal, relaying every request in real time. The user sees the genuine site because they are, in fact, talking to it — through an attacker-controlled hop that harvests the session cookie after authentication completes.

Why MFA stopped being a silver bullet

Adversary-in-the-middle (AiTM) tooling captures the post-authentication session token rather than the credential. Because the token already encodes a satisfied second factor, the attacker can replay it without ever prompting the victim again. One-time passcodes and push approvals are defeated the moment they are entered into the proxied page.

• Phishing-resistant factors (FIDO2 / passkeys) bind authentication to the legitimate origin and break the proxy.
• Short token lifetimes and continuous access evaluation shrink the replay window.
• Impossible-travel and device-binding signals catch replays that slip through.

The kit isn't selling a fake page anymore. It's selling a working session — yours.

— A broker observed on a Telegram resale channel

What detection actually looks like

Defenders rarely catch the lure. They catch the aftermath: a sign-in from a new ASN minutes after a legitimate one, a token used from two geographies, or a mail rule quietly created to hide the attacker's follow-up. Building detections around session anomalies — not just failed logins — is where teams find leverage.