AI phishing panels are industrialising browser-based identity theft

At a glance

What this is: This is an analysis of real-time phishing panels used to run browser-based identity theft campaigns, with the key finding that operator-gated delivery and session theft are making the attack chain harder to detect and disrupt.

Why it matters: It matters because IAM, PAM, and identity security teams need controls that account for browser-mediated session capture, not just password theft or known-bad infrastructure.

By the numbers:

• In total, we’ve identified over 400 domains linked to the attacks, giving an indication of the scale.

👉 Read Push Security's analysis of active phishing panels used in browser-based identity theft

Context

Browser-based phishing has moved beyond static credential harvesters into operator-gated workflows that only serve malicious content after a live victim interaction. In practice, that means the identity attack now happens inside the session path, where the browser becomes both the delivery channel and the capture point for credentials, OTPs, and approvals.

For IAM teams, the important shift is not just that passwords are being stolen. The deeper issue is that attacker-run panels can proxy or manually stage the login flow, capture authenticated sessions, and pivot into enterprise identity providers and connected SaaS platforms before traditional email controls or infrastructure blocklists have anything useful to say.

The campaign pattern described here is consistent with a broader class of identity abuse that sits between human social engineering and non-human session abuse. It is now typical for criminals to blend voice, browser interaction, and session relay into one control-bypassing chain.

Key questions

Q: How should security teams defend against phishing panels that only reveal themselves to real victims?

A: Security teams should combine browser telemetry, behavioural page analysis, and identity controls that reduce the value of a live session. The goal is to detect the malicious page after it is rendered, not merely to block a domain before it is used. Browser-layer inspection is essential when attackers gate content behind human interaction.

Q: Why do browser-based AiTM attacks create more risk than password phishing alone?

A: AiTM attacks capture the full authenticated flow, including MFA responses and the resulting session. That means the attacker inherits a trusted session rather than trying to break in again later. Once the session exists, downstream SaaS access, data theft, and extortion become much easier than password reuse alone would allow.

Q: What do teams get wrong about detecting modern phishing infrastructure?

A: Many teams assume that malicious infrastructure can be found through static scanning or blocklists before it is used. Operator-gated phishing breaks that assumption because the malicious content appears only during a live interaction. Detection must therefore focus on behaviour, redirects, and rendered-page analysis rather than only domain reputation.

Q: Who is accountable when a stolen session is used to pivot into SaaS platforms?

A: Accountability usually sits across identity operations, application owners, and security monitoring teams because the compromise crosses multiple control boundaries. Identity providers may authenticate the session, but connected SaaS platforms determine how far the attacker can go. Organisations need clear ownership for session risk, app trust, and post-login containment.

Technical breakdown

How operator-gated phishing panels defeat static detection

These panels are built to delay malicious content until a real visitor is present. A landing gate, anti-bot check, or operator approval step means scanners often see a harmless shell, not the credential-capture flow. The browser then receives the real login clone, which may relay data to Telegram or a backend handler in real time. That architecture is designed to separate discovery from execution, so infrastructure-only controls lose coverage the moment the panel decides who gets served.

Practical implication: teams need browser-side inspection and behavioral detection at the point of interaction, not just reputation-based URL filtering.

How AiTM phishing turns login prompts into session theft

Adversary-in-the-middle phishing does more than collect passwords. It relays credentials to the legitimate identity provider, captures MFA outputs or push approvals, and then steals the resulting authenticated session. That means the attacker is not trying to impersonate the user later with a password alone. They inherit a live session that already passed the primary authentication steps, which is why downstream SaaS access often follows immediately after the initial compromise.

Practical implication: session-bound controls, phishing-resistant authentication, and continuous reauthentication become more important than password complexity alone.

Why the panel ecosystem now looks like a service layer

The tooling described here is no longer a single kit copied once and reused unchanged. Forks, rebranded panels, multiple infrastructure clusters, and manual operator workflows show a distribution model where source code is reshipped across campaigns. That matters because defenders are no longer facing one signature, but a reusable service layer for browser-based identity theft. The result is a moving target where the same attack logic can appear under different domains, front ends, and hosting choices.

Practical implication: detection logic should key on behavior, redirect logic, and browser state changes rather than fixed panel names or domains.

Threat narrative

Attacker objective: The attacker’s objective is to capture authenticated enterprise sessions, pivot into SaaS and identity platforms, and use the stolen access for data theft and extortion.

1. Entry begins with a vishing call or browser lure that directs the target to a combosquatted phishing domain, often framed as a helpdesk or security update workflow.
2. Credential access occurs when the victim enters their email, password, and MFA response into the cloned login flow, which forwards the values to the operator in real time.
3. Impact follows when the attacker relays the captured session into the real identity provider and pivots into connected SaaS platforms to exfiltrate data and support extortion.

Breaches seen in the wild

• MongoBleed breach — MongoBleed exposed secrets across 87K MongoDB servers.
• IOS app secrets leakage report — iOS apps leaking hardcoded secrets and credentials endangering user privacy.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Browser-mediated identity theft has become a control plane problem, not just a phishing problem. The panel described here does not rely on bulk email delivery or obvious malware. It waits for a live browser session, then steers the victim through credential and MFA capture in real time. That shifts the security question from message filtering to session integrity, identity assurance, and browser-layer observability. The practitioner conclusion is straightforward: if the browser can be used to broker the compromise, it must also be part of the detection model.

Operator-gated phishing invalidates infrastructure-first discovery assumptions. Traditional abuse detection presumes that malicious hosts can be crawled, scanned, and listed before they are effective. These panels break that assumption by serving benign content to anyone who is not the intended target or by requiring operator approval before the payload appears. The implication is that static IoCs are no longer sufficient as a primary discovery mechanism, especially when short-lived domains can be spun up and replaced quickly.

Session theft is now the more important identity failure mode than password theft. Once an attacker can relay a live login and steal the authenticated browser session, password policy does little to change the outcome. The real blast radius sits in connected SaaS, identity provider trust, and downstream token reuse. For identity governance, the practitioner conclusion is that authentication strength must be judged by what survives after login, not by the login event itself.

Credential relay campaigns now operate as a service ecosystem, which expands the threat surface beyond a single kit. The presence of forks, rebranded panels, and multiple infrastructure clusters means security teams are facing a distributed criminal supply chain. That widens the category from a one-off phishing kit to repeatable identity abuse infrastructure. The practitioner conclusion is that defenders should model this as a scalable identity compromise pattern rather than an isolated campaign.

Over 85% of organisations lack full visibility into third-party vendors connected via OAuth apps, and that blind spot compounds the value of stolen sessions. According to The State of Non-Human Identity Security, 38% have no or low visibility and a further 47% have only partial visibility. When attackers pivot from the browser into SaaS, weak third-party visibility makes the post-login environment harder to contain. The practitioner conclusion is that identity governance must extend past first-factor authentication into connected application oversight.

From our research:

• 85% of organisations lack full visibility into third-party vendors connected via OAuth apps, according to The State of Non-Human Identity Security.
• 1 in 4 organisations are already investing in dedicated NHI security capabilities, with an additional 60% planning to do so within the next twelve months.
• If browser-based compromise is the front door, the next control to examine is lifecycle and session governance in the NHI Lifecycle Management Guide.

What this signals

Browser-mediated identity theft will keep outrunning perimeter-style phishing controls. Teams should expect more campaigns that use human interaction, operator approval, and ephemeral infrastructure to evade static detection. The practical response is to treat rendered browser behaviour as a security signal and to bring session visibility into IAM operations.

Identity provider compromise now has SaaS-wide consequences. Once a session is captured, the attacker often does not need another password or another MFA prompt to move into collaboration, documents, and ticketing systems. Programmes that do not map post-login trust boundaries will continue to underestimate how far one stolen session can travel.

With 1.5 out of 10 organisations highly confident in securing NHIs, similar confidence gaps are likely to persist wherever session trust is poorly governed. According to The State of Non-Human Identity Security, the market still lacks operational maturity in areas that overlap with browser-captured identity and delegated access. That makes tighter lifecycle, session, and OAuth oversight a near-term priority for identity teams.

For practitioners

• Prioritise browser-side attack detection Inspect rendered pages, redirects, form submission paths, and operator-gated content in real time. Static URL blocklists will miss pages that only reveal malicious behaviour after a live victim arrives.
• Harden against session relay, not only password theft Use phishing-resistant authentication where possible and add controls that reduce the value of a captured session, including step-up checks for sensitive SaaS actions and tighter token lifetimes.
• Map which applications trust the identity provider too broadly Inventory the SaaS platforms that can be reached after primary login and identify where a single stolen session can cascade into document access, messaging, or data export.
• Treat helpdesk impersonation as an identity risk Train support teams to challenge browser-delivered login requests that reference internal tickets, employee names, or MFA resets, because the social layer is part of the compromise path.

Key takeaways

• The core risk is no longer simple credential theft.** Browser-gated phishing panels turn the login session itself into the target and make downstream identity abuse far more likely.
• The scale is already broad and industrialised.** Push Security identified more than 400 linked domains, multiple clusters, and real breaches connected to the same campaign pattern.
• The control gap is behavioural visibility, not just blocklists.** Teams need browser-side detection, stronger session controls, and tighter governance over post-login SaaS access.

Key terms

• Adversary-in-the-Middle Phishing: A phishing technique where the attacker sits between the victim and the real identity provider, relaying credentials and authentication challenges in real time. The result is often a valid session rather than just a stolen password, which makes downstream access much harder to stop.
• Operator-Gated Phishing Panel: A phishing interface that only reveals the malicious flow after a live operator approves the victim or the browser passes a gating step. This design frustrates static scanning because the hostile content is delivered conditionally, not to every crawler or passive observer.
• Session Theft: The capture of an authenticated browser session so the attacker can act as the user without repeating the original login. In identity terms, this is often more dangerous than password theft because the attacker inherits the trust already granted by the application.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity security are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or governance in your organisation, it is worth exploring.

This post draws on content published by Push Security: an inside look at a phishing panel used in criminal campaigns. Read the original.